From e646a3615e5b4dbbc0ccdf5c50cb147d58843e39 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Tue, 10 Feb 2026 13:16:29 -0500 Subject: [PATCH 01/55] =?UTF-8?q?=F0=9F=8C=8A=20fix:=20Prevent=20Truncatio?= =?UTF-8?q?ns=20When=20Redis=20Resumable=20Streams=20Are=20Enabled=20(#117?= =?UTF-8?q?10)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: prevent truncated responses when Redis resumable streams are enabled Race condition in RedisEventTransport.subscribe() caused early events (seq 0+) to be lost. The Redis SUBSCRIBE command was fired as fire-and-forget, but GenerationJobManager immediately set hasSubscriber=true, disabling the earlyEventBuffer. Events published during the gap between subscribe() returning and the Redis subscription actually taking effect were neither buffered nor received — they were silently dropped by Pub/Sub. This manifested as "timeout waiting for seq 0, force-flushing N messages" warnings followed by truncated or missing response text in the UI. The fix: - IEventTransport.subscribe() now returns an optional `ready` promise that resolves once the transport can actually receive messages - RedisEventTransport returns the Redis SUBSCRIBE acknowledgment as the `ready` promise instead of firing it as fire-and-forget - GenerationJobManager.subscribe() awaits `ready` before setting hasSubscriber=true, keeping the earlyEventBuffer active during the subscription window so no events are lost - GenerationJobManager.emitChunk() early-returns after buffering when no subscriber is connected, avoiding wasteful Redis PUBLISHes that nobody would receive Adds 5 regression tests covering the race condition for both in-memory and Redis transports, verifying that events emitted before subscribe are buffered and replayed, that the ready promise contract is correct for both transport implementations, and that no events are lost across the subscribe boundary. * refactor: Update import paths in GenerationJobManager integration tests - Refactored import statements in the GenerationJobManager integration test file to use absolute paths instead of relative paths, improving code readability and maintainability. - Removed redundant imports and ensured consistent usage of the updated import structure across the test cases. * chore: Remove redundant await from GenerationJobManager initialization in tests - Updated multiple test cases to call GenerationJobManager.initialize() without awaiting, improving test performance and clarity. - Ensured consistent initialization across various scenarios in the CollectedUsage and AbortJob test suites. * refactor: Enhance GenerationJobManager integration tests and RedisEventTransport cleanup - Updated GenerationJobManager integration tests to utilize dynamic Redis clients and removed unnecessary awaits from initialization calls, improving test performance. - Refactored RedisEventTransport's destroy method to safely disconnect the subscriber, enhancing resource management and preventing potential errors during cleanup. * feat: Enhance GenerationJobManager and RedisEventTransport for improved event handling - Added a resetSequence method to IEventTransport and implemented it in RedisEventTransport to manage publish sequence counters effectively. - Updated GenerationJobManager to utilize the new resetSequence method, ensuring proper event handling during stream operations. - Introduced integration tests for GenerationJobManager to validate cross-replica event publishing and subscriber readiness in Redis, enhancing test coverage and reliability. * test: Add integration tests for GenerationJobManager sequence reset and error recovery with Redis - Introduced new tests to validate the behavior of GenerationJobManager during sequence resets, ensuring no stale events are received after a reset. - Added tests to confirm that the sequence is not reset when a second subscriber joins mid-stream, maintaining event integrity. - Implemented a test for resubscription after a Redis subscribe failure, verifying that events can still be received post-error. - Enhanced overall test coverage for Redis-related functionalities in GenerationJobManager. * fix: Update GenerationJobManager and RedisEventTransport for improved event synchronization - Replaced the resetSequence method with syncReorderBuffer in GenerationJobManager to enhance cross-replica event handling without resetting the publisher sequence. - Added a new syncReorderBuffer method in RedisEventTransport to advance the subscriber reorder buffer safely, ensuring no data loss during subscriber transitions. - Introduced a new integration test to validate that local subscribers joining do not cause data loss for cross-replica subscribers, enhancing the reliability of event delivery. - Updated existing tests to reflect changes in event handling logic, improving overall test coverage and robustness. * fix: Clear flushTimeout in RedisEventTransport to prevent potential memory leaks - Added logic to clear the flushTimeout in the reorderBuffer when resetting the sequence counters, ensuring proper resource management and preventing memory leaks during state transitions in RedisEventTransport. --- .../api/src/stream/GenerationJobManager.ts | 15 +- ...ationJobManager.stream_integration.spec.ts | 831 +++++++++++++++--- .../stream/__tests__/collectedUsage.spec.ts | 20 +- .../implementations/InMemoryEventTransport.ts | 2 +- .../implementations/RedisEventTransport.ts | 92 +- .../api/src/stream/interfaces/IJobStore.ts | 10 +- 6 files changed, 782 insertions(+), 188 deletions(-) diff --git a/packages/api/src/stream/GenerationJobManager.ts b/packages/api/src/stream/GenerationJobManager.ts index fefb0dd207..815133d616 100644 --- a/packages/api/src/stream/GenerationJobManager.ts +++ b/packages/api/src/stream/GenerationJobManager.ts @@ -745,7 +745,6 @@ class GenerationJobManagerClass { const subscription = this.eventTransport.subscribe(streamId, { onChunk: (event) => { const e = event as t.ServerSentEvent; - // Filter out internal events if (!(e as Record)._internal) { onChunk(e); } @@ -754,14 +753,15 @@ class GenerationJobManagerClass { onError, }); - // Check if this is the first subscriber + if (subscription.ready) { + await subscription.ready; + } + const isFirst = this.eventTransport.isFirstSubscriber(streamId); - // First subscriber: replay buffered events and mark as connected if (!runtime.hasSubscriber) { runtime.hasSubscriber = true; - // Replay any events that were emitted before subscriber connected if (runtime.earlyEventBuffer.length > 0) { logger.debug( `[GenerationJobManager] Replaying ${runtime.earlyEventBuffer.length} buffered events for ${streamId}`, @@ -771,6 +771,8 @@ class GenerationJobManagerClass { } runtime.earlyEventBuffer = []; } + + this.eventTransport.syncReorderBuffer?.(streamId); } if (isFirst) { @@ -823,12 +825,13 @@ class GenerationJobManagerClass { } } - // Buffer early events if no subscriber yet (replay when first subscriber connects) if (!runtime.hasSubscriber) { runtime.earlyEventBuffer.push(event); + if (!this._isRedis) { + return; + } } - // Await the transport emit - critical for Redis mode to maintain event order await this.eventTransport.emitChunk(streamId, event); } diff --git a/packages/api/src/stream/__tests__/GenerationJobManager.stream_integration.spec.ts b/packages/api/src/stream/__tests__/GenerationJobManager.stream_integration.spec.ts index 8723f3f000..59fe32e4e5 100644 --- a/packages/api/src/stream/__tests__/GenerationJobManager.stream_integration.spec.ts +++ b/packages/api/src/stream/__tests__/GenerationJobManager.stream_integration.spec.ts @@ -1,4 +1,17 @@ import type { Redis, Cluster } from 'ioredis'; +import type { ServerSentEvent } from '~/types/events'; +import { InMemoryEventTransport } from '~/stream/implementations/InMemoryEventTransport'; +import { RedisEventTransport } from '~/stream/implementations/RedisEventTransport'; +import { InMemoryJobStore } from '~/stream/implementations/InMemoryJobStore'; +import { GenerationJobManagerClass } from '~/stream/GenerationJobManager'; +import { RedisJobStore } from '~/stream/implementations/RedisJobStore'; +import { createStreamServices } from '~/stream/createStreamServices'; +import { GenerationJobManager } from '~/stream/GenerationJobManager'; +import { + ioredisClient as staticRedisClient, + keyvRedisClient as staticKeyvClient, + keyvRedisClientReady, +} from '~/cache/redisClients'; /** * Integration tests for GenerationJobManager. @@ -11,20 +24,23 @@ import type { Redis, Cluster } from 'ioredis'; describe('GenerationJobManager Integration Tests', () => { let originalEnv: NodeJS.ProcessEnv; let ioredisClient: Redis | Cluster | null = null; + let dynamicKeyvClient: unknown = null; + let dynamicKeyvReady: Promise | null = null; const testPrefix = 'JobManager-Integration-Test'; beforeAll(async () => { originalEnv = { ...process.env }; - // Set up test environment process.env.USE_REDIS = process.env.USE_REDIS ?? 'true'; process.env.REDIS_URI = process.env.REDIS_URI ?? 'redis://127.0.0.1:6379'; process.env.REDIS_KEY_PREFIX = testPrefix; jest.resetModules(); - const { ioredisClient: client } = await import('../../cache/redisClients'); - ioredisClient = client; + const redisModule = await import('~/cache/redisClients'); + ioredisClient = redisModule.ioredisClient; + dynamicKeyvClient = redisModule.keyvRedisClient; + dynamicKeyvReady = redisModule.keyvRedisClientReady; }); afterEach(async () => { @@ -45,28 +61,29 @@ describe('GenerationJobManager Integration Tests', () => { }); afterAll(async () => { - if (ioredisClient) { - try { - // Use quit() to gracefully close - waits for pending commands - await ioredisClient.quit(); - } catch { - // Fall back to disconnect if quit fails - try { - ioredisClient.disconnect(); - } catch { - // Ignore - } + for (const ready of [keyvRedisClientReady, dynamicKeyvReady]) { + if (ready) { + await ready.catch(() => {}); } } + + const clients = [ioredisClient, staticRedisClient, staticKeyvClient, dynamicKeyvClient]; + for (const client of clients) { + if (!client) { + continue; + } + try { + await (client as { disconnect: () => void | Promise }).disconnect(); + } catch { + /* ignore */ + } + } + process.env = originalEnv; }); describe('In-Memory Mode', () => { test('should create and manage jobs', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - // Configure with in-memory // cleanupOnComplete: false so we can verify completed status GenerationJobManager.configure({ @@ -76,7 +93,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `inmem-job-${Date.now()}`; const userId = 'test-user-1'; @@ -108,17 +125,13 @@ describe('GenerationJobManager Integration Tests', () => { }); test('should handle event streaming', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), isRedis: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `inmem-events-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -165,9 +178,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - // Create Redis services const services = createStreamServices({ useRedis: true, @@ -177,7 +187,7 @@ describe('GenerationJobManager Integration Tests', () => { expect(services.isRedis).toBe(true); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `redis-job-${Date.now()}`; const userId = 'test-user-redis'; @@ -204,16 +214,13 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `redis-chunks-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -262,16 +269,13 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `redis-abort-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -314,10 +318,7 @@ describe('GenerationJobManager Integration Tests', () => { const runTestWithMode = async (isRedis: boolean) => { jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - if (isRedis && ioredisClient) { - const { createStreamServices } = await import('../createStreamServices'); GenerationJobManager.configure({ ...createStreamServices({ useRedis: true, @@ -326,10 +327,6 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: false, // Keep job for verification }); } else { - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import( - '../implementations/InMemoryEventTransport' - ); GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), @@ -338,7 +335,7 @@ describe('GenerationJobManager Integration Tests', () => { }); } - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `consistency-${isRedis ? 'redis' : 'inmem'}-${Date.now()}`; @@ -395,8 +392,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { RedisJobStore } = await import('../implementations/RedisJobStore'); - // === REPLICA A: Creates the job === // Simulate Replica A creating the job directly in Redis // (In real scenario, this happens via GenerationJobManager.createJob on Replica A) @@ -412,8 +407,6 @@ describe('GenerationJobManager Integration Tests', () => { // === REPLICA B: Receives the stream request === // Fresh GenerationJobManager that does NOT have this job in its local runtimeState jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: true, @@ -421,7 +414,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); // This is what the stream endpoint does: // const job = await GenerationJobManager.getJob(streamId); @@ -464,10 +457,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - // Simulate two instances - one creates job, other tries to get it - const { createStreamServices } = await import('../createStreamServices'); - const { RedisJobStore } = await import('../implementations/RedisJobStore'); - // Instance 1: Create the job directly in Redis (simulating another replica) const jobStore = new RedisJobStore(ioredisClient); await jobStore.initialize(); @@ -480,7 +469,6 @@ describe('GenerationJobManager Integration Tests', () => { // Instance 2: Fresh GenerationJobManager that doesn't have this job in memory jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); const services = createStreamServices({ useRedis: true, @@ -488,7 +476,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); // This should work even though the job was created by "another instance" // The manager should lazily create runtime state from Redis data @@ -517,16 +505,13 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `sync-sent-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -559,9 +544,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, @@ -571,7 +553,7 @@ describe('GenerationJobManager Integration Tests', () => { ...services, cleanupOnComplete: false, // Keep job for verification }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `final-event-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -604,16 +586,13 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `abort-signal-${Date.now()}`; const job = await GenerationJobManager.createJob(streamId, 'user-1'); @@ -649,9 +628,6 @@ describe('GenerationJobManager Integration Tests', () => { // This test validates that jobs created on Replica A and lazily-initialized // on Replica B can still receive and handle abort signals. - const { createStreamServices } = await import('../createStreamServices'); - const { RedisJobStore } = await import('../implementations/RedisJobStore'); - // === Replica A: Create job directly in Redis === const replicaAJobStore = new RedisJobStore(ioredisClient); await replicaAJobStore.initialize(); @@ -661,7 +637,6 @@ describe('GenerationJobManager Integration Tests', () => { // === Replica B: Fresh manager that lazily initializes the job === jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); const services = createStreamServices({ useRedis: true, @@ -669,7 +644,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); // Get job triggers lazy initialization of runtime state const job = await GenerationJobManager.getJob(streamId); @@ -710,19 +685,14 @@ describe('GenerationJobManager Integration Tests', () => { // 2. Replica B receives abort request and emits abort signal // 3. Replica A receives signal and aborts its AbortController - const { createStreamServices } = await import('../createStreamServices'); - const { RedisEventTransport } = await import('../implementations/RedisEventTransport'); - // Create the job on "Replica A" - const { GenerationJobManager } = await import('../GenerationJobManager'); - const services = createStreamServices({ useRedis: true, redisClient: ioredisClient, }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `cross-abort-${Date.now()}`; const job = await GenerationJobManager.createJob(streamId, 'user-1'); @@ -764,9 +734,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { createStreamServices } = await import('../createStreamServices'); - const { RedisJobStore } = await import('../implementations/RedisJobStore'); - // Create job directly in Redis with syncSent: true const jobStore = new RedisJobStore(ioredisClient); await jobStore.initialize(); @@ -777,7 +744,6 @@ describe('GenerationJobManager Integration Tests', () => { // Fresh manager that doesn't have this job locally jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); const services = createStreamServices({ useRedis: true, @@ -785,7 +751,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); // wasSyncSent should check Redis even without local runtime const wasSent = await GenerationJobManager.wasSyncSent(streamId); @@ -813,8 +779,6 @@ describe('GenerationJobManager Integration Tests', () => { } jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: true, @@ -822,7 +786,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `order-rapid-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -865,8 +829,6 @@ describe('GenerationJobManager Integration Tests', () => { } jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: true, @@ -874,7 +836,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `tool-args-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -926,8 +888,6 @@ describe('GenerationJobManager Integration Tests', () => { } jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: true, @@ -935,7 +895,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `step-order-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -991,8 +951,6 @@ describe('GenerationJobManager Integration Tests', () => { } jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: true, @@ -1000,7 +958,7 @@ describe('GenerationJobManager Integration Tests', () => { }); GenerationJobManager.configure(services); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId1 = `concurrent-1-${Date.now()}`; const streamId2 = `concurrent-2-${Date.now()}`; @@ -1057,6 +1015,202 @@ describe('GenerationJobManager Integration Tests', () => { }); }); + describe('Race Condition: Events Before Subscriber Ready', () => { + /** + * These tests verify the fix for the race condition where early events + * (like the 'created' event at seq 0) are lost because the Redis SUBSCRIBE + * command hasn't completed when events are published. + * + * Symptom: "[RedisEventTransport] Stream : timeout waiting for seq 0" + * followed by truncated responses in the UI. + * + * Root cause: RedisEventTransport.subscribe() fired Redis SUBSCRIBE as + * fire-and-forget. GenerationJobManager set hasSubscriber=true immediately, + * disabling the earlyEventBuffer before Redis was actually listening. + * + * Fix: subscribe() now returns a `ready` promise that resolves when the + * Redis subscription is confirmed. earlyEventBuffer stays active until then. + */ + + test('should buffer and replay events emitted before subscribe (in-memory)', async () => { + const manager = new GenerationJobManagerClass(); + manager.configure({ + jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), + eventTransport: new InMemoryEventTransport(), + isRedis: false, + }); + + manager.initialize(); + + const streamId = `early-buf-inmem-${Date.now()}`; + await manager.createJob(streamId, 'user-1'); + + await manager.emitChunk(streamId, { + created: true, + message: { text: 'hello' }, + streamId, + } as unknown as ServerSentEvent); + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: 'First chunk' } } }, + }); + + const receivedEvents: unknown[] = []; + const subscription = await manager.subscribe(streamId, (event: unknown) => + receivedEvents.push(event), + ); + + await new Promise((resolve) => setTimeout(resolve, 50)); + + expect(receivedEvents.length).toBe(2); + expect((receivedEvents[0] as Record).created).toBe(true); + + subscription?.unsubscribe(); + await manager.destroy(); + }); + + test('should buffer and replay events emitted before subscribe (Redis)', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const manager = new GenerationJobManagerClass(); + const services = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + + manager.configure(services); + manager.initialize(); + + const streamId = `early-buf-redis-${Date.now()}`; + await manager.createJob(streamId, 'user-1'); + + await manager.emitChunk(streamId, { + created: true, + message: { text: 'hello' }, + streamId, + } as unknown as ServerSentEvent); + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: 'First' } } }, + }); + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: ' chunk' } } }, + }); + + const receivedEvents: unknown[] = []; + const subscription = await manager.subscribe(streamId, (event: unknown) => + receivedEvents.push(event), + ); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(receivedEvents.length).toBe(3); + expect((receivedEvents[0] as Record).created).toBe(true); + expect( + ((receivedEvents[1] as Record).data as Record).delta, + ).toBeDefined(); + + subscription?.unsubscribe(); + await manager.destroy(); + }); + + test('should not lose events when emitting before and after subscribe (Redis)', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const manager = new GenerationJobManagerClass(); + const services = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + + manager.configure(services); + manager.initialize(); + + const streamId = `no-loss-${Date.now()}`; + await manager.createJob(streamId, 'user-1'); + + await manager.emitChunk(streamId, { + created: true, + message: { text: 'hello' }, + streamId, + } as unknown as ServerSentEvent); + await manager.emitChunk(streamId, { + event: 'on_run_step', + data: { id: 'step-1', type: 'message_creation', index: 0 }, + }); + + const receivedEvents: unknown[] = []; + const subscription = await manager.subscribe(streamId, (event: unknown) => + receivedEvents.push(event), + ); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + for (let i = 0; i < 10; i++) { + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `word${i} ` } }, index: i }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + + expect(receivedEvents.length).toBe(12); + expect((receivedEvents[0] as Record).created).toBe(true); + expect((receivedEvents[1] as Record).event).toBe('on_run_step'); + for (let i = 0; i < 10; i++) { + expect((receivedEvents[i + 2] as Record).event).toBe('on_message_delta'); + } + + subscription?.unsubscribe(); + await manager.destroy(); + }); + + test('RedisEventTransport.subscribe() should return a ready promise', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const subscriber = (ioredisClient as unknown as { duplicate: () => unknown }).duplicate(); + const transport = new RedisEventTransport(ioredisClient as never, subscriber as never); + + const streamId = `ready-promise-${Date.now()}`; + const result = transport.subscribe(streamId, { + onChunk: () => {}, + }); + + expect(result.ready).toBeDefined(); + expect(result.ready).toBeInstanceOf(Promise); + + await result.ready; + + result.unsubscribe(); + transport.destroy(); + (subscriber as { disconnect: () => void }).disconnect(); + }); + + test('InMemoryEventTransport.subscribe() should not have a ready promise', () => { + const transport = new InMemoryEventTransport(); + const streamId = `no-ready-${Date.now()}`; + const result = transport.subscribe(streamId, { + onChunk: () => {}, + }); + + expect(result.ready).toBeUndefined(); + + result.unsubscribe(); + transport.destroy(); + }); + }); + describe('Error Preservation for Late Subscribers', () => { /** * These tests verify the fix for the race condition where errors @@ -1067,10 +1221,6 @@ describe('GenerationJobManager Integration Tests', () => { */ test('should store error in emitError for late-connecting subscribers', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), @@ -1078,7 +1228,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `error-store-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -1099,10 +1249,6 @@ describe('GenerationJobManager Integration Tests', () => { }); test('should NOT delete job immediately when completeJob is called with error', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), @@ -1110,7 +1256,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: true, // Default behavior }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `error-no-delete-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -1133,10 +1279,6 @@ describe('GenerationJobManager Integration Tests', () => { }); test('should send stored error to late-connecting subscriber', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), @@ -1144,7 +1286,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: true, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `error-late-sub-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -1182,10 +1324,6 @@ describe('GenerationJobManager Integration Tests', () => { }); test('should prioritize error status over finalEvent in subscribe', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - GenerationJobManager.configure({ jobStore: new InMemoryJobStore({ ttlAfterComplete: 60000 }), eventTransport: new InMemoryEventTransport(), @@ -1193,7 +1331,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `error-priority-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -1237,9 +1375,6 @@ describe('GenerationJobManager Integration Tests', () => { return; } - const { createStreamServices } = await import('../createStreamServices'); - const { RedisJobStore } = await import('../implementations/RedisJobStore'); - // === Replica A: Creates job and emits error === const replicaAJobStore = new RedisJobStore(ioredisClient); await replicaAJobStore.initialize(); @@ -1256,7 +1391,6 @@ describe('GenerationJobManager Integration Tests', () => { // === Replica B: Fresh manager receives client connection === jest.resetModules(); - const { GenerationJobManager } = await import('../GenerationJobManager'); const services = createStreamServices({ useRedis: true, @@ -1267,7 +1401,7 @@ describe('GenerationJobManager Integration Tests', () => { ...services, cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); // Client connects to Replica B (job created on Replica A) let receivedError: string | undefined; @@ -1293,10 +1427,6 @@ describe('GenerationJobManager Integration Tests', () => { }); test('error jobs should be cleaned up by periodic cleanup after TTL', async () => { - const { GenerationJobManager } = await import('../GenerationJobManager'); - const { InMemoryJobStore } = await import('../implementations/InMemoryJobStore'); - const { InMemoryEventTransport } = await import('../implementations/InMemoryEventTransport'); - // Use a very short TTL for testing const jobStore = new InMemoryJobStore({ ttlAfterComplete: 100 }); @@ -1307,7 +1437,7 @@ describe('GenerationJobManager Integration Tests', () => { cleanupOnComplete: true, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `error-cleanup-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -1333,36 +1463,457 @@ describe('GenerationJobManager Integration Tests', () => { }); }); - describe('createStreamServices Auto-Detection', () => { - test('should auto-detect Redis when USE_REDIS is true', async () => { + describe('Cross-Replica Live Streaming (Redis)', () => { + test('should publish events to Redis even when no local subscriber exists', async () => { if (!ioredisClient) { console.warn('Redis not available, skipping test'); return; } - // Force USE_REDIS to true - process.env.USE_REDIS = 'true'; - jest.resetModules(); + const replicaA = new GenerationJobManagerClass(); + const servicesA = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaA.configure(servicesA); + replicaA.initialize(); - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices(); + const replicaB = new GenerationJobManagerClass(); + const servicesB = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaB.configure(servicesB); + replicaB.initialize(); - // Should detect Redis - expect(services.isRedis).toBe(true); + const streamId = `cross-live-${Date.now()}`; + await replicaA.createJob(streamId, 'user-1'); + + const replicaBJobStore = new RedisJobStore(ioredisClient); + await replicaBJobStore.initialize(); + await replicaBJobStore.createJob(streamId, 'user-1'); + + const receivedOnB: unknown[] = []; + const subB = await replicaB.subscribe(streamId, (event: unknown) => receivedOnB.push(event)); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + for (let i = 0; i < 5; i++) { + await replicaA.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `token${i} ` } }, index: i }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + + expect(receivedOnB.length).toBe(5); + for (let i = 0; i < 5; i++) { + expect((receivedOnB[i] as Record).event).toBe('on_message_delta'); + } + + subB?.unsubscribe(); + replicaBJobStore.destroy(); + await replicaA.destroy(); + await replicaB.destroy(); }); - test('should fall back to in-memory when USE_REDIS is false', async () => { - process.env.USE_REDIS = 'false'; - jest.resetModules(); + test('should not cause data loss on cross-replica subscribers when local subscriber joins', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } - const { createStreamServices } = await import('../createStreamServices'); - const services = createStreamServices(); + const replicaA = new GenerationJobManagerClass(); + const servicesA = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaA.configure(servicesA); + replicaA.initialize(); + + const replicaB = new GenerationJobManagerClass(); + const servicesB = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaB.configure(servicesB); + replicaB.initialize(); + + const streamId = `cross-seq-safe-${Date.now()}`; + + await replicaA.createJob(streamId, 'user-1'); + const replicaBJobStore = new RedisJobStore(ioredisClient); + await replicaBJobStore.initialize(); + await replicaBJobStore.createJob(streamId, 'user-1'); + + const receivedOnB: unknown[] = []; + const subB = await replicaB.subscribe(streamId, (event: unknown) => receivedOnB.push(event)); + await new Promise((resolve) => setTimeout(resolve, 100)); + + for (let i = 0; i < 3; i++) { + await replicaA.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `pre-local-${i}` } }, index: i }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + expect(receivedOnB.length).toBe(3); + + const receivedOnA: unknown[] = []; + const subA = await replicaA.subscribe(streamId, (event: unknown) => receivedOnA.push(event)); + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(receivedOnA.length).toBe(3); + + for (let i = 0; i < 3; i++) { + await replicaA.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `post-local-${i}` } }, index: i + 3 }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + + expect(receivedOnB.length).toBe(6); + expect(receivedOnA.length).toBe(6); + + for (let i = 0; i < 3; i++) { + const data = (receivedOnB[i] as Record).data as Record; + const delta = data.delta as Record; + const content = delta.content as Record; + expect(content.text).toBe(`pre-local-${i}`); + } + for (let i = 0; i < 3; i++) { + const data = (receivedOnB[i + 3] as Record).data as Record< + string, + unknown + >; + const delta = data.delta as Record; + const content = delta.content as Record; + expect(content.text).toBe(`post-local-${i}`); + } + + subA?.unsubscribe(); + subB?.unsubscribe(); + replicaBJobStore.destroy(); + await replicaA.destroy(); + await replicaB.destroy(); + }); + + test('should deliver buffered events locally AND publish live events cross-replica', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const replicaA = new GenerationJobManagerClass(); + const servicesA = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaA.configure(servicesA); + replicaA.initialize(); + + const streamId = `cross-buf-live-${Date.now()}`; + await replicaA.createJob(streamId, 'user-1'); + + await replicaA.emitChunk(streamId, { + created: true, + message: { text: 'hello' }, + streamId, + } as unknown as ServerSentEvent); + + const receivedOnA: unknown[] = []; + const subA = await replicaA.subscribe(streamId, (event: unknown) => receivedOnA.push(event)); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(receivedOnA.length).toBe(1); + expect((receivedOnA[0] as Record).created).toBe(true); + + const replicaB = new GenerationJobManagerClass(); + const servicesB = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + replicaB.configure(servicesB); + replicaB.initialize(); + + const replicaBJobStore = new RedisJobStore(ioredisClient); + await replicaBJobStore.initialize(); + await replicaBJobStore.createJob(streamId, 'user-1'); + + const receivedOnB: unknown[] = []; + const subB = await replicaB.subscribe(streamId, (event: unknown) => receivedOnB.push(event)); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + for (let i = 0; i < 3; i++) { + await replicaA.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `word${i} ` } }, index: i }, + }); + } + + /** B joined after A published seq 0, so B's reorder buffer force-flushes after REORDER_TIMEOUT_MS (500ms) */ + await new Promise((resolve) => setTimeout(resolve, 700)); + + expect(receivedOnA.length).toBe(4); + expect(receivedOnB.length).toBe(3); + + subA?.unsubscribe(); + subB?.unsubscribe(); + replicaBJobStore.destroy(); + await replicaA.destroy(); + await replicaB.destroy(); + }); + }); + + describe('Concurrent Subscriber Readiness (Redis)', () => { + test('should return ready promise to all concurrent subscribers for same stream', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const subscriber = ( + ioredisClient as unknown as { duplicate: () => typeof ioredisClient } + ).duplicate()!; + const transport = new RedisEventTransport(ioredisClient as never, subscriber as never); + + const streamId = `concurrent-sub-${Date.now()}`; + + const sub1 = transport.subscribe(streamId, { + onChunk: () => {}, + onDone: () => {}, + }); + const sub2 = transport.subscribe(streamId, { + onChunk: () => {}, + onDone: () => {}, + }); + + expect(sub1.ready).toBeDefined(); + expect(sub2.ready).toBeDefined(); + + await Promise.all([sub1.ready, sub2.ready]); + + sub1.unsubscribe(); + sub2.unsubscribe(); + transport.destroy(); + subscriber.disconnect(); + }); + }); + + describe('Sequence Reset Safety (Redis)', () => { + test('should not receive stale pre-subscribe events via Redis after sequence reset', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const manager = new GenerationJobManagerClass(); + const services = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + manager.configure(services); + manager.initialize(); + + const streamId = `seq-stale-${Date.now()}`; + await manager.createJob(streamId, 'user-1'); + + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: 'pre-sub-0' } }, index: 0 }, + }); + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: 'pre-sub-1' } }, index: 1 }, + }); + + const receivedEvents: unknown[] = []; + const sub = await manager.subscribe(streamId, (event: unknown) => receivedEvents.push(event)); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(receivedEvents.length).toBe(2); + expect( + ((receivedEvents[0] as Record).data as Record).delta, + ).toBeDefined(); + + for (let i = 0; i < 5; i++) { + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `post-sub-${i}` } }, index: i + 2 }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + + expect(receivedEvents.length).toBe(7); + + const texts = receivedEvents.map( + (e) => + ( + ((e as Record).data as Record).delta as Record< + string, + unknown + > + ).content as Record, + ); + expect((texts[0] as Record).text).toBe('pre-sub-0'); + expect((texts[1] as Record).text).toBe('pre-sub-1'); + for (let i = 0; i < 5; i++) { + expect((texts[i + 2] as Record).text).toBe(`post-sub-${i}`); + } + + sub?.unsubscribe(); + await manager.destroy(); + }); + + test('should not reset sequence when second subscriber joins mid-stream', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const manager = new GenerationJobManagerClass(); + const services = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + manager.configure({ ...services, cleanupOnComplete: false }); + manager.initialize(); + + const streamId = `seq-2nd-sub-${Date.now()}`; + await manager.createJob(streamId, 'user-1'); + + const eventsA: unknown[] = []; + const subA = await manager.subscribe(streamId, (event: unknown) => eventsA.push(event)); + + await new Promise((resolve) => setTimeout(resolve, 50)); + + for (let i = 0; i < 3; i++) { + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `chunk-${i}` } }, index: i }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(eventsA.length).toBe(3); + + const eventsB: unknown[] = []; + const subB = await manager.subscribe(streamId, (event: unknown) => eventsB.push(event)); + + for (let i = 3; i < 6; i++) { + await manager.emitChunk(streamId, { + event: 'on_message_delta', + data: { delta: { content: { type: 'text', text: `chunk-${i}` } }, index: i }, + }); + } + + await new Promise((resolve) => setTimeout(resolve, 300)); + + expect(eventsA.length).toBe(6); + expect(eventsB.length).toBe(3); + + for (let i = 0; i < 6; i++) { + const text = ( + ( + ((eventsA[i] as Record).data as Record) + .delta as Record + ).content as Record + ).text; + expect(text).toBe(`chunk-${i}`); + } + + subA?.unsubscribe(); + subB?.unsubscribe(); + await manager.destroy(); + }); + }); + + describe('Subscribe Error Recovery (Redis)', () => { + test('should allow resubscription after Redis subscribe failure', async () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const subscriber = ( + ioredisClient as unknown as { duplicate: () => typeof ioredisClient } + ).duplicate()!; + + const realSubscribe = subscriber.subscribe.bind(subscriber); + let callCount = 0; + subscriber.subscribe = ((...args: Parameters) => { + callCount++; + if (callCount === 1) { + return Promise.reject(new Error('Simulated Redis SUBSCRIBE failure')); + } + return realSubscribe(...args); + }) as typeof subscriber.subscribe; + + const transport = new RedisEventTransport(ioredisClient as never, subscriber as never); + + const streamId = `err-retry-${Date.now()}`; + + const sub1 = transport.subscribe(streamId, { + onChunk: () => {}, + onDone: () => {}, + }); + + await sub1.ready; + + const receivedEvents: unknown[] = []; + sub1.unsubscribe(); + + const sub2 = transport.subscribe(streamId, { + onChunk: (event: unknown) => receivedEvents.push(event), + onDone: () => {}, + }); + + expect(sub2.ready).toBeDefined(); + await sub2.ready; + + await transport.emitChunk(streamId, { event: 'test', data: { value: 'hello' } }); + await new Promise((resolve) => setTimeout(resolve, 100)); + + expect(receivedEvents.length).toBe(1); + + sub2.unsubscribe(); + transport.destroy(); + subscriber.disconnect(); + }); + }); + + describe('createStreamServices Auto-Detection', () => { + test('should use Redis when useRedis is true and client is available', () => { + if (!ioredisClient) { + console.warn('Redis not available, skipping test'); + return; + } + + const services = createStreamServices({ + useRedis: true, + redisClient: ioredisClient, + }); + + expect(services.isRedis).toBe(true); + services.eventTransport.destroy(); + }); + + test('should fall back to in-memory when useRedis is false', () => { + const services = createStreamServices({ useRedis: false }); expect(services.isRedis).toBe(false); }); test('should allow forcing in-memory via config override', async () => { - const { createStreamServices } = await import('../createStreamServices'); const services = createStreamServices({ useRedis: false }); expect(services.isRedis).toBe(false); diff --git a/packages/api/src/stream/__tests__/collectedUsage.spec.ts b/packages/api/src/stream/__tests__/collectedUsage.spec.ts index 3e534b537a..d9a9ab95fe 100644 --- a/packages/api/src/stream/__tests__/collectedUsage.spec.ts +++ b/packages/api/src/stream/__tests__/collectedUsage.spec.ts @@ -146,7 +146,7 @@ describe('CollectedUsage - GenerationJobManager', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `manager-test-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -179,7 +179,7 @@ describe('CollectedUsage - GenerationJobManager', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `no-usage-test-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -202,7 +202,7 @@ describe('CollectedUsage - GenerationJobManager', () => { isRedis: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const collectedUsage: UsageMetadata[] = [ { input_tokens: 100, output_tokens: 50, model: 'gpt-4' }, @@ -235,7 +235,7 @@ describe('AbortJob - Text and CollectedUsage', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `text-extract-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -267,7 +267,7 @@ describe('AbortJob - Text and CollectedUsage', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `empty-text-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -291,7 +291,7 @@ describe('AbortJob - Text and CollectedUsage', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `full-abort-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -328,7 +328,7 @@ describe('AbortJob - Text and CollectedUsage', () => { isRedis: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const abortResult = await GenerationJobManager.abortJob('non-existent-job'); @@ -365,7 +365,7 @@ describe('Real-world Scenarios', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `parallel-abort-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -419,7 +419,7 @@ describe('Real-world Scenarios', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `cache-abort-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); @@ -459,7 +459,7 @@ describe('Real-world Scenarios', () => { cleanupOnComplete: false, }); - await GenerationJobManager.initialize(); + GenerationJobManager.initialize(); const streamId = `sequential-abort-${Date.now()}`; await GenerationJobManager.createJob(streamId, 'user-1'); diff --git a/packages/api/src/stream/implementations/InMemoryEventTransport.ts b/packages/api/src/stream/implementations/InMemoryEventTransport.ts index 39b3d6029d..d0a815ce45 100644 --- a/packages/api/src/stream/implementations/InMemoryEventTransport.ts +++ b/packages/api/src/stream/implementations/InMemoryEventTransport.ts @@ -32,7 +32,7 @@ export class InMemoryEventTransport implements IEventTransport { onDone?: (event: unknown) => void; onError?: (error: string) => void; }, - ): { unsubscribe: () => void } { + ): { unsubscribe: () => void; ready?: Promise } { const state = this.getOrCreateStream(streamId); const chunkHandler = (event: unknown) => handlers.onChunk(event); diff --git a/packages/api/src/stream/implementations/RedisEventTransport.ts b/packages/api/src/stream/implementations/RedisEventTransport.ts index 78f545c18e..2362afe647 100644 --- a/packages/api/src/stream/implementations/RedisEventTransport.ts +++ b/packages/api/src/stream/implementations/RedisEventTransport.ts @@ -92,8 +92,8 @@ export class RedisEventTransport implements IEventTransport { private subscriber: Redis | Cluster; /** Track subscribers per stream */ private streams = new Map(); - /** Track which channels we're subscribed to */ - private subscribedChannels = new Set(); + /** Track channel subscription state: resolved promise = active, pending = in-flight */ + private channelSubscriptions = new Map>(); /** Counter for generating unique subscriber IDs */ private subscriberIdCounter = 0; /** Sequence counters per stream for publishing (ensures ordered delivery in cluster mode) */ @@ -122,9 +122,32 @@ export class RedisEventTransport implements IEventTransport { return current; } - /** Reset sequence counter for a stream */ - private resetSequence(streamId: string): void { + /** Reset publish sequence counter and subscriber reorder state for a stream (full cleanup only) */ + resetSequence(streamId: string): void { this.sequenceCounters.delete(streamId); + const state = this.streams.get(streamId); + if (state) { + if (state.reorderBuffer.flushTimeout) { + clearTimeout(state.reorderBuffer.flushTimeout); + state.reorderBuffer.flushTimeout = null; + } + state.reorderBuffer.nextSeq = 0; + state.reorderBuffer.pending.clear(); + } + } + + /** Advance subscriber reorder buffer to current publisher sequence without resetting publisher (cross-replica safe) */ + syncReorderBuffer(streamId: string): void { + const currentSeq = this.sequenceCounters.get(streamId) ?? 0; + const state = this.streams.get(streamId); + if (state) { + if (state.reorderBuffer.flushTimeout) { + clearTimeout(state.reorderBuffer.flushTimeout); + state.reorderBuffer.flushTimeout = null; + } + state.reorderBuffer.nextSeq = currentSeq; + state.reorderBuffer.pending.clear(); + } } /** @@ -331,7 +354,7 @@ export class RedisEventTransport implements IEventTransport { onDone?: (event: unknown) => void; onError?: (error: string) => void; }, - ): { unsubscribe: () => void } { + ): { unsubscribe: () => void; ready?: Promise } { const channel = CHANNELS.events(streamId); const subscriberId = `sub_${++this.subscriberIdCounter}`; @@ -354,16 +377,23 @@ export class RedisEventTransport implements IEventTransport { streamState.count++; streamState.handlers.set(subscriberId, handlers); - // Subscribe to Redis channel if this is first subscriber - if (!this.subscribedChannels.has(channel)) { - this.subscribedChannels.add(channel); - this.subscriber.subscribe(channel).catch((err) => { - logger.error(`[RedisEventTransport] Failed to subscribe to ${channel}:`, err); - }); + let readyPromise = this.channelSubscriptions.get(channel); + + if (!readyPromise) { + readyPromise = this.subscriber + .subscribe(channel) + .then(() => { + logger.debug(`[RedisEventTransport] Subscription active for channel ${channel}`); + }) + .catch((err) => { + this.channelSubscriptions.delete(channel); + logger.error(`[RedisEventTransport] Failed to subscribe to ${channel}:`, err); + }); + this.channelSubscriptions.set(channel, readyPromise); } - // Return unsubscribe function return { + ready: readyPromise, unsubscribe: () => { const state = this.streams.get(streamId); if (!state) { @@ -385,7 +415,7 @@ export class RedisEventTransport implements IEventTransport { this.subscriber.unsubscribe(channel).catch((err) => { logger.error(`[RedisEventTransport] Failed to unsubscribe from ${channel}:`, err); }); - this.subscribedChannels.delete(channel); + this.channelSubscriptions.delete(channel); // Call all-subscribers-left callbacks for (const callback of state.allSubscribersLeftCallbacks) { @@ -532,12 +562,15 @@ export class RedisEventTransport implements IEventTransport { state.abortCallbacks.push(callback); - // Subscribe to Redis channel if not already subscribed - if (!this.subscribedChannels.has(channel)) { - this.subscribedChannels.add(channel); - this.subscriber.subscribe(channel).catch((err) => { - logger.error(`[RedisEventTransport] Failed to subscribe to ${channel}:`, err); - }); + if (!this.channelSubscriptions.has(channel)) { + const ready = this.subscriber + .subscribe(channel) + .then(() => {}) + .catch((err) => { + this.channelSubscriptions.delete(channel); + logger.error(`[RedisEventTransport] Failed to subscribe to ${channel}:`, err); + }); + this.channelSubscriptions.set(channel, ready); } } @@ -571,12 +604,11 @@ export class RedisEventTransport implements IEventTransport { // Reset sequence counter for this stream this.resetSequence(streamId); - // Unsubscribe from Redis channel - if (this.subscribedChannels.has(channel)) { + if (this.channelSubscriptions.has(channel)) { this.subscriber.unsubscribe(channel).catch((err) => { logger.error(`[RedisEventTransport] Failed to cleanup ${channel}:`, err); }); - this.subscribedChannels.delete(channel); + this.channelSubscriptions.delete(channel); } this.streams.delete(streamId); @@ -595,18 +627,20 @@ export class RedisEventTransport implements IEventTransport { state.reorderBuffer.pending.clear(); } - // Unsubscribe from all channels - for (const channel of this.subscribedChannels) { - this.subscriber.unsubscribe(channel).catch(() => { - // Ignore errors during shutdown - }); + for (const channel of this.channelSubscriptions.keys()) { + this.subscriber.unsubscribe(channel).catch(() => {}); } - this.subscribedChannels.clear(); + this.channelSubscriptions.clear(); this.streams.clear(); this.sequenceCounters.clear(); - // Note: Don't close Redis connections - they may be shared + try { + this.subscriber.disconnect(); + } catch { + /* ignore */ + } + logger.info('[RedisEventTransport] Destroyed'); } } diff --git a/packages/api/src/stream/interfaces/IJobStore.ts b/packages/api/src/stream/interfaces/IJobStore.ts index d990283925..5486b941eb 100644 --- a/packages/api/src/stream/interfaces/IJobStore.ts +++ b/packages/api/src/stream/interfaces/IJobStore.ts @@ -286,7 +286,7 @@ export interface IJobStore { * Implementations can use EventEmitter, Redis Pub/Sub, etc. */ export interface IEventTransport { - /** Subscribe to events for a stream */ + /** Subscribe to events for a stream. `ready` resolves once the transport can receive messages. */ subscribe( streamId: string, handlers: { @@ -294,7 +294,7 @@ export interface IEventTransport { onDone?: (event: unknown) => void; onError?: (error: string) => void; }, - ): { unsubscribe: () => void }; + ): { unsubscribe: () => void; ready?: Promise }; /** Publish a chunk event - returns Promise in Redis mode for ordered delivery */ emitChunk(streamId: string, event: unknown): void | Promise; @@ -329,6 +329,12 @@ export interface IEventTransport { /** Listen for all subscribers leaving */ onAllSubscribersLeft(streamId: string, callback: () => void): void; + /** Reset publish sequence counter for a stream (used during full stream cleanup) */ + resetSequence?(streamId: string): void; + + /** Advance subscriber reorder buffer to match publisher sequence (cross-replica safe: doesn't reset publisher counter) */ + syncReorderBuffer?(streamId: string): void; + /** Cleanup transport resources for a specific stream */ cleanup(streamId: string): void; From 8da3c38780b70ddbe3398a25a588b96d2bbb9ab3 Mon Sep 17 00:00:00 2001 From: Sean DMR Date: Tue, 10 Feb 2026 18:28:18 +0000 Subject: [PATCH 02/55] =?UTF-8?q?=F0=9F=AA=9F=20fix:=20Update=20Link=20Tar?= =?UTF-8?q?get=20to=20Open=20in=20Separate=20Tabs=20(#11669)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `_new` is not a recognized keyword for the `target` attribute. While browsers treat it as a named window, `_blank` is the standard value for opening links in a new tab/window. --- .../src/components/Chat/Messages/Content/MarkdownComponents.tsx | 2 +- client/src/components/Chat/Messages/Content/MarkdownLite.tsx | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/client/src/components/Chat/Messages/Content/MarkdownComponents.tsx b/client/src/components/Chat/Messages/Content/MarkdownComponents.tsx index 7db3fa668a..d647147151 100644 --- a/client/src/components/Chat/Messages/Content/MarkdownComponents.tsx +++ b/client/src/components/Chat/Messages/Content/MarkdownComponents.tsx @@ -111,7 +111,7 @@ export const a: React.ElementType = memo(({ href, children }: TAnchorProps) => { }, [user?.id, href]); const { refetch: downloadFile } = useFileDownload(user?.id ?? '', file_id); - const props: { target?: string; onClick?: React.MouseEventHandler } = { target: '_new' }; + const props: { target?: string; onClick?: React.MouseEventHandler } = { target: '_blank' }; if (!file_id || !filename) { return ( diff --git a/client/src/components/Chat/Messages/Content/MarkdownLite.tsx b/client/src/components/Chat/Messages/Content/MarkdownLite.tsx index 65efe2f256..24980d8a90 100644 --- a/client/src/components/Chat/Messages/Content/MarkdownLite.tsx +++ b/client/src/components/Chat/Messages/Content/MarkdownLite.tsx @@ -38,7 +38,6 @@ const MarkdownLite = memo( ]} /** @ts-ignore */ rehypePlugins={rehypePlugins} - // linkTarget="_new" components={ { code: codeExecution ? code : codeNoExecution, From 4ddaab68a15b87e359bfed97b05e69402d8b18bc Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Tue, 10 Feb 2026 15:08:17 -0500 Subject: [PATCH 03/55] =?UTF-8?q?=F0=9F=94=A7=20fix:=20Update=20z-index=20?= =?UTF-8?q?for=20ImagePreview=20modal=20components=20(#11714)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Increased z-index values for the DialogPrimitive overlay and content in ImagePreview.tsx to ensure proper stacking order and visibility of modal elements. This change enhances the user experience by preventing modal content from being obscured by other UI elements. --- client/src/components/Chat/Input/Files/ImagePreview.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/src/components/Chat/Input/Files/ImagePreview.tsx b/client/src/components/Chat/Input/Files/ImagePreview.tsx index c675c9326c..2714c3677f 100644 --- a/client/src/components/Chat/Input/Files/ImagePreview.tsx +++ b/client/src/components/Chat/Input/Files/ImagePreview.tsx @@ -158,11 +158,11 @@ const ImagePreview = ({ { e.preventDefault(); closeButtonRef.current?.focus(); From 299efc2ccb6030db63ebcf9f6970961a8981d3f3 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Tue, 10 Feb 2026 20:03:17 -0500 Subject: [PATCH 04/55] =?UTF-8?q?=F0=9F=93=A6=20chore:=20Bump=20`@librecha?= =?UTF-8?q?t/agents`=20&=20`axios`,=20Bedrock=20Prompt=20Caching=20fix=20(?= =?UTF-8?q?#11723)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 chore: Update @librechat/agents to version 3.1.39 in package.json and package-lock.json * 🔧 chore: Update axios to version 1.13.5 in package.json and package-lock.json across multiple packages --- api/package.json | 4 +-- package-lock.json | 38 ++++++++++++++--------------- packages/api/package.json | 4 +-- packages/data-provider/package.json | 2 +- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/api/package.json b/api/package.json index f26022d8d3..0e0099ef06 100644 --- a/api/package.json +++ b/api/package.json @@ -44,14 +44,14 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.38", + "@librechat/agents": "^3.1.39", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", "@modelcontextprotocol/sdk": "^1.26.0", "@node-saml/passport-saml": "^5.1.0", "@smithy/node-http-handler": "^4.4.5", - "axios": "^1.12.1", + "axios": "^1.13.5", "bcryptjs": "^2.4.3", "compression": "^1.8.1", "connect-redis": "^8.1.0", diff --git a/package-lock.json b/package-lock.json index c89cf1a9dd..249ad9e0d6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -58,14 +58,14 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.38", + "@librechat/agents": "^3.1.39", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", "@modelcontextprotocol/sdk": "^1.26.0", "@node-saml/passport-saml": "^5.1.0", "@smithy/node-http-handler": "^4.4.5", - "axios": "^1.12.1", + "axios": "^1.13.5", "bcryptjs": "^2.4.3", "compression": "^1.8.1", "connect-redis": "^8.1.0", @@ -11207,9 +11207,9 @@ } }, "node_modules/@librechat/agents": { - "version": "3.1.38", - "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.38.tgz", - "integrity": "sha512-s8WkS2bXkTWsPGKsQKlUFWUVijMAIQvpv4LZLbNj/rZui0R+82vY/CVnkK3jeUueNMo6GS7GG9Fj01FZmhXslw==", + "version": "3.1.39", + "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.39.tgz", + "integrity": "sha512-HsMOkAKap6O0w4rpr/YdZIrRXBo8tEIM9iO8Z/6txeQUHyRsrdBFo7Kdu+t0leUOq+3NysnD8BRQpcfXKfMF3Q==", "license": "MIT", "dependencies": { "@anthropic-ai/sdk": "^0.73.0", @@ -21308,13 +21308,13 @@ } }, "node_modules/axios": { - "version": "1.12.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.12.1.tgz", - "integrity": "sha512-Kn4kbSXpkFHCGE6rBFNwIv0GQs4AvDT80jlveJDKFxjbTYMUeB4QtsdPCv6H8Cm19Je7IU6VFtRl2zWZI0rudQ==", + "version": "1.13.5", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz", + "integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.4", + "follow-redirects": "^1.15.11", + "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, @@ -26297,9 +26297,9 @@ "integrity": "sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==" }, "node_modules/follow-redirects": { - "version": "1.15.9", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz", - "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==", + "version": "1.15.11", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", + "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", "funding": [ { "type": "individual", @@ -26352,9 +26352,9 @@ } }, "node_modules/form-data": { - "version": "4.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", - "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", @@ -42102,11 +42102,11 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.38", + "@librechat/agents": "^3.1.39", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", - "axios": "^1.12.1", + "axios": "^1.13.5", "connect-redis": "^8.1.0", "eventsource": "^3.0.2", "express": "^5.1.0", @@ -44464,7 +44464,7 @@ "version": "0.8.231", "license": "ISC", "dependencies": { - "axios": "^1.12.1", + "axios": "^1.13.5", "dayjs": "^1.11.13", "js-yaml": "^4.1.1", "zod": "^3.22.4" diff --git a/packages/api/package.json b/packages/api/package.json index 0dd1bfc005..b9d233e2ea 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -87,11 +87,11 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.38", + "@librechat/agents": "^3.1.39", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", - "axios": "^1.12.1", + "axios": "^1.13.5", "connect-redis": "^8.1.0", "eventsource": "^3.0.2", "express": "^5.1.0", diff --git a/packages/data-provider/package.json b/packages/data-provider/package.json index 02e86fbbb1..c2466e5fa9 100644 --- a/packages/data-provider/package.json +++ b/packages/data-provider/package.json @@ -39,7 +39,7 @@ }, "homepage": "https://librechat.ai", "dependencies": { - "axios": "^1.12.1", + "axios": "^1.13.5", "dayjs": "^1.11.13", "js-yaml": "^4.1.1", "zod": "^3.22.4" From d6b6f191f705c066ecc2ca591127ca02601e83e5 Mon Sep 17 00:00:00 2001 From: Marco Beretta <81851188+berry-13@users.noreply.github.com> Date: Thu, 12 Feb 2026 04:08:40 +0100 Subject: [PATCH 05/55] =?UTF-8?q?=E2=99=BF=20style(MCP):=20Enhance=20dialo?= =?UTF-8?q?g=20accessibility=20and=20styling=20consistency=20(#11585)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * style: update input IDs in BasicInfoSection for consistency and improve accessibility * style: add border-destructive variable for improved design consistency * style: update error border color for title input in BasicInfoSection * style: update delete confirmation dialog title and description for MCP Server * style: add text-destructive variable for improved design consistency * style: update error message and border color for URL and trust fields for consistency * style: reorder imports and update error message styling for consistency across sections * style: enhance MCPServerDialog with copy link functionality and UI improvements * style: enhance MCPServerDialog with improved accessibility and loading indicators * style: bump @librechat/client to 0.4.51 and enhance OGDialogTemplate for improved selection handling * a11y: enhance accessibility and error handling in MCPServerDialog sections * style: enhance MCPServerDialog accessibility and improve resource name handling * style: improve accessibility in MCPServerDialog and AuthSection, update translation for delete confirmation * style: update aria-invalid attributes to use string values for improved accessibility in form sections * style: enhance accessibility in AuthSection by updating aria attributes and adding error messages * style: remove unnecessary aria-hidden attributes from Spinner components in MCPServerDialog * style: simplify legacy selection check in OGDialogTemplate --- .../MCPServerDialog/MCPServerForm.tsx | 4 +- .../MCPBuilder/MCPServerDialog/index.tsx | 115 +++++++++++------- .../MCPServerDialog/sections/AuthSection.tsx | 89 +++++++++++--- .../sections/BasicInfoSection.tsx | 38 +++--- .../sections/ConnectionSection.tsx | 16 ++- .../sections/TransportSection.tsx | 11 +- .../MCPServerDialog/sections/TrustSection.tsx | 22 ++-- client/src/locales/en/translation.json | 10 +- client/src/style.css | 4 + client/src/utils/resources.ts | 18 +-- client/tailwind.config.cjs | 2 + .../src/components/OGDialogTemplate.tsx | 103 ++++++++++------ packages/client/src/components/Radio.tsx | 4 + 13 files changed, 295 insertions(+), 141 deletions(-) diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/MCPServerForm.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/MCPServerForm.tsx index 188c518597..d4096ea96a 100644 --- a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/MCPServerForm.tsx +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/MCPServerForm.tsx @@ -1,10 +1,10 @@ import { FormProvider } from 'react-hook-form'; +import type { useMCPServerForm } from './hooks/useMCPServerForm'; import ConnectionSection from './sections/ConnectionSection'; import BasicInfoSection from './sections/BasicInfoSection'; import TransportSection from './sections/TransportSection'; -import AuthSection from './sections/AuthSection'; import TrustSection from './sections/TrustSection'; -import type { useMCPServerForm } from './hooks/useMCPServerForm'; +import AuthSection from './sections/AuthSection'; interface MCPServerFormProps { formHook: ReturnType; diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/index.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/index.tsx index f86d3f8056..c9d3473d60 100644 --- a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/index.tsx +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/index.tsx @@ -1,13 +1,18 @@ import React, { useState, useEffect } from 'react'; +import { Copy, CopyCheck } from 'lucide-react'; import { - OGDialog, - OGDialogTemplate, - OGDialogContent, - OGDialogHeader, - OGDialogTitle, + Label, + Input, Button, - TrashIcon, Spinner, + TrashIcon, + useToastContext, + OGDialog, + OGDialogTitle, + OGDialogHeader, + OGDialogFooter, + OGDialogContent, + OGDialogTemplate, } from '@librechat/client'; import { SystemRoles, @@ -16,10 +21,10 @@ import { PermissionBits, PermissionTypes, } from 'librechat-data-provider'; -import { GenericGrantAccessDialog } from '~/components/Sharing'; import { useAuthContext, useHasAccess, useResourcePermissions, MCPServerDefinition } from '~/hooks'; -import { useLocalize } from '~/hooks'; +import { GenericGrantAccessDialog } from '~/components/Sharing'; import { useMCPServerForm } from './hooks/useMCPServerForm'; +import { useLocalize, useCopyToClipboard } from '~/hooks'; import MCPServerForm from './MCPServerForm'; interface MCPServerDialogProps { @@ -39,8 +44,10 @@ export default function MCPServerDialog({ }: MCPServerDialogProps) { const localize = useLocalize(); const { user } = useAuthContext(); + const { showToast } = useToastContext(); // State for dialogs + const [isCopying, setIsCopying] = useState(false); const [showDeleteConfirm, setShowDeleteConfirm] = useState(false); const [showRedirectUriDialog, setShowRedirectUriDialog] = useState(false); const [createdServerId, setCreatedServerId] = useState(null); @@ -99,20 +106,26 @@ export default function MCPServerDialog({ ? `${window.location.origin}/api/mcp/${createdServerId}/oauth/callback` : ''; + const copyLink = useCopyToClipboard({ text: redirectUri }); + return ( <> {/* Delete confirmation dialog */} setShowDeleteConfirm(isOpen)}> {localize('com_ui_mcp_server_delete_confirm')}

} - selection={{ - selectHandler: handleDelete, - selectClasses: - 'bg-destructive text-white transition-all duration-200 hover:bg-destructive/80', - selectText: isDeleting ? : localize('com_ui_delete'), - }} + title={localize('com_ui_delete_mcp_server')} + className="w-11/12 max-w-md" + description={localize('com_ui_mcp_server_delete_confirm', { 0: server?.serverName })} + selection={ + + } /> @@ -127,48 +140,53 @@ export default function MCPServerDialog({ } }} > - - + + {localize('com_ui_mcp_server_created')} -
-

- {localize('com_ui_redirect_uri_instructions')} -

-
-
diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/ConnectionSection.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/ConnectionSection.tsx index 5d7094fd83..ee77a54699 100644 --- a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/ConnectionSection.tsx +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/ConnectionSection.tsx @@ -15,13 +15,19 @@ export default function ConnectionSection() { return (
{ @@ -29,9 +35,13 @@ export default function ConnectionSection() { return isValidUrl(normalized) || localize('com_ui_mcp_invalid_url'); }, })} - className={cn(errors.url && 'border-red-500 focus:border-red-500')} + className={cn(errors.url && 'border-border-destructive')} /> - {errors.url &&

{errors.url.message}

} + {errors.url && ( + + )}
); } diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TransportSection.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TransportSection.tsx index 80d4595719..5c7b610b70 100644 --- a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TransportSection.tsx +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TransportSection.tsx @@ -25,14 +25,19 @@ export default function TransportSection() { ); return ( -
- +
+ + + -
+ ); } diff --git a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TrustSection.tsx b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TrustSection.tsx index 854ac717b7..36d8d73a49 100644 --- a/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TrustSection.tsx +++ b/client/src/components/SidePanel/MCPBuilder/MCPServerDialog/sections/TrustSection.tsx @@ -26,17 +26,17 @@ export default function TrustSection() { checked={field.value} onCheckedChange={field.onChange} aria-labelledby="trust-label" - aria-describedby="trust-description" + aria-describedby={ + errors.trust ? 'trust-description trust-error' : 'trust-description' + } + aria-invalid={errors.trust ? 'true' : 'false'} + aria-required="true" className="mt-0.5" /> )} /> -
{errors.trust && ( -

{localize('com_ui_field_required')}

+ )} ); diff --git a/client/src/locales/en/translation.json b/client/src/locales/en/translation.json index e961e6cd3c..491bc2258b 100644 --- a/client/src/locales/en/translation.json +++ b/client/src/locales/en/translation.json @@ -857,8 +857,11 @@ "com_ui_copy_url_to_clipboard": "Copy URL to clipboard", "com_ui_create": "Create", "com_ui_create_api_key": "Create API Key", + "com_ui_created": "Created", + "com_ui_creating": "Creating...", "com_ui_create_assistant": "Create Assistant", "com_ui_create_link": "Create link", + "com_ui_create_mcp_server": "Create MCP server", "com_ui_create_memory": "Create Memory", "com_ui_create_new_agent": "Create New Agent", "com_ui_create_prompt": "Create Prompt", @@ -893,6 +896,7 @@ "com_ui_decline": "I do not accept", "com_ui_default_post_request": "Default (POST request)", "com_ui_delete": "Delete", + "com_ui_deleting": "Deleting...", "com_ui_delete_action": "Delete Action", "com_ui_delete_action_confirm": "Are you sure you want to delete this action?", "com_ui_delete_agent": "Delete Agent", @@ -915,6 +919,8 @@ "com_ui_delete_tool": "Delete Tool", "com_ui_delete_tool_confirm": "Are you sure you want to delete this tool?", "com_ui_delete_tool_save_reminder": "Tool removed. Save the agent to apply changes.", + "com_ui_delete_mcp_server": "Delete MCP Server?", + "com_ui_delete_mcp_server_name": "Delete MCP server {{0}}", "com_ui_deleted": "Deleted", "com_ui_deleting_file": "Deleting file...", "com_ui_descending": "Desc", @@ -1111,7 +1117,7 @@ "com_ui_mcp_server": "MCP Server", "com_ui_mcp_server_connection_failed": "Connection attempt to the provided MCP server failed. Please make sure the URL, the server type, and any authentication configuration are correct, then try again. Also ensure the URL is reachable.", "com_ui_mcp_server_created": "MCP server created successfully", - "com_ui_mcp_server_delete_confirm": "Are you sure you want to delete this MCP server?", + "com_ui_mcp_server_delete_confirm": "Are you sure you want to delete the {{0}} MCP server?", "com_ui_mcp_server_deleted": "MCP server deleted successfully", "com_ui_mcp_server_role_editor": "MCP Server Editor", "com_ui_mcp_server_role_editor_desc": "Can view, use, and edit MCP servers", @@ -1438,6 +1444,8 @@ "com_ui_unset": "Unset", "com_ui_untitled": "Untitled", "com_ui_update": "Update", + "com_ui_updating": "Updating...", + "com_ui_update_mcp_server": "Update MCP server", "com_ui_upload": "Upload", "com_ui_upload_agent_avatar": "Successfully updated agent avatar", "com_ui_upload_agent_avatar_label": "Upload agent avatar image", diff --git a/client/src/style.css b/client/src/style.css index 689c05423d..cf3ea50294 100644 --- a/client/src/style.css +++ b/client/src/style.css @@ -70,6 +70,7 @@ html { --text-secondary-alt: var(--gray-500); --text-tertiary: var(--gray-500); --text-warning: var(--amber-500); + --text-destructive: var(--red-600); --ring-primary: var(--gray-500); --header-primary: var(--white); --header-hover: var(--gray-50); @@ -96,6 +97,7 @@ html { --border-medium: var(--gray-300); --border-heavy: var(--gray-400); --border-xheavy: var(--gray-500); + --border-destructive: var(--red-600); /* These are test styles */ --background: 0 0% 100%; @@ -131,6 +133,7 @@ html { --text-secondary-alt: var(--gray-400); --text-tertiary: var(--gray-500); --text-warning: var(--amber-500); + --text-destructive: var(--red-600); --header-primary: var(--gray-700); --header-hover: var(--gray-600); --header-button-hover: var(--gray-700); @@ -156,6 +159,7 @@ html { --border-medium: var(--gray-600); --border-heavy: var(--gray-500); --border-xheavy: var(--gray-400); + --border-destructive: var(--red-500); /* These are test styles */ --background: 0 0% 7%; diff --git a/client/src/utils/resources.ts b/client/src/utils/resources.ts index 9b68cef3f6..7a1e2b86c1 100644 --- a/client/src/utils/resources.ts +++ b/client/src/utils/resources.ts @@ -19,10 +19,10 @@ export const RESOURCE_CONFIGS: Record = { defaultEditorRoleId: AccessRoleIds.AGENT_EDITOR, defaultOwnerRoleId: AccessRoleIds.AGENT_OWNER, getResourceUrl: (agentId: string) => `${window.location.origin}/c/new?agent_id=${agentId}`, - getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'agent'), - getShareMessage: (name?: string) => (name && name !== '' ? `"${name}"` : 'agent'), + getResourceName: (name?: string) => (name && name !== '' ? name : 'agent'), + getShareMessage: (name?: string) => (name && name !== '' ? name : 'agent'), getManageMessage: (name?: string) => - `Manage permissions for ${name && name !== '' ? `"${name}"` : 'agent'}`, + `Manage permissions for ${name && name !== '' ? name : 'agent'}`, getCopyUrlMessage: () => 'Agent URL copied', }, [ResourceType.PROMPTGROUP]: { @@ -30,10 +30,10 @@ export const RESOURCE_CONFIGS: Record = { defaultViewerRoleId: AccessRoleIds.PROMPTGROUP_VIEWER, defaultEditorRoleId: AccessRoleIds.PROMPTGROUP_EDITOR, defaultOwnerRoleId: AccessRoleIds.PROMPTGROUP_OWNER, - getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'prompt'), - getShareMessage: (name?: string) => (name && name !== '' ? `"${name}"` : 'prompt'), + getResourceName: (name?: string) => (name && name !== '' ? name : 'prompt'), + getShareMessage: (name?: string) => (name && name !== '' ? name : 'prompt'), getManageMessage: (name?: string) => - `Manage permissions for ${name && name !== '' ? `"${name}"` : 'prompt'}`, + `Manage permissions for ${name && name !== '' ? name : 'prompt'}`, getCopyUrlMessage: () => 'Prompt URL copied', }, [ResourceType.MCPSERVER]: { @@ -41,10 +41,10 @@ export const RESOURCE_CONFIGS: Record = { defaultViewerRoleId: AccessRoleIds.MCPSERVER_VIEWER, defaultEditorRoleId: AccessRoleIds.MCPSERVER_EDITOR, defaultOwnerRoleId: AccessRoleIds.MCPSERVER_OWNER, - getResourceName: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'), - getShareMessage: (name?: string) => (name && name !== '' ? `"${name}"` : 'MCP server'), + getResourceName: (name?: string) => (name && name !== '' ? name : 'MCP server'), + getShareMessage: (name?: string) => (name && name !== '' ? name : 'MCP server'), getManageMessage: (name?: string) => - `Manage permissions for ${name && name !== '' ? `"${name}"` : 'MCP server'}`, + `Manage permissions for ${name && name !== '' ? name : 'MCP server'}`, getCopyUrlMessage: () => 'MCP Server URL copied', }, [ResourceType.REMOTE_AGENT]: { diff --git a/client/tailwind.config.cjs b/client/tailwind.config.cjs index c30d2ca703..624998e9d8 100644 --- a/client/tailwind.config.cjs +++ b/client/tailwind.config.cjs @@ -92,6 +92,7 @@ module.exports = { 'text-secondary-alt': 'var(--text-secondary-alt)', 'text-tertiary': 'var(--text-tertiary)', 'text-warning': 'var(--text-warning)', + 'text-destructive': 'var(--text-destructive)', 'ring-primary': 'var(--ring-primary)', 'header-primary': 'var(--header-primary)', 'header-hover': 'var(--header-hover)', @@ -118,6 +119,7 @@ module.exports = { 'border-medium-alt': 'var(--border-medium-alt)', 'border-heavy': 'var(--border-heavy)', 'border-xheavy': 'var(--border-xheavy)', + 'border-destructive': 'var(--border-destructive)', /* These are test styles */ border: 'hsl(var(--border))', input: 'hsl(var(--input))', diff --git a/packages/client/src/components/OGDialogTemplate.tsx b/packages/client/src/components/OGDialogTemplate.tsx index 8bf2cea090..300ae5b194 100644 --- a/packages/client/src/components/OGDialogTemplate.tsx +++ b/packages/client/src/components/OGDialogTemplate.tsx @@ -1,4 +1,4 @@ -import { forwardRef, ReactNode, Ref } from 'react'; +import { forwardRef, isValidElement, ReactNode, Ref } from 'react'; import { OGDialogTitle, OGDialogClose, @@ -19,13 +19,39 @@ type SelectionProps = { isLoading?: boolean; }; +/** + * Type guard to check if selection is a legacy SelectionProps object + */ +function isSelectionProps(selection: unknown): selection is SelectionProps { + return ( + typeof selection === 'object' && + selection !== null && + !isValidElement(selection) && + ('selectHandler' in selection || + 'selectClasses' in selection || + 'selectText' in selection || + 'isLoading' in selection) + ); +} + type DialogTemplateProps = { title: string; description?: string; main?: ReactNode; buttons?: ReactNode; leftButtons?: ReactNode; - selection?: SelectionProps; + /** + * Selection button configuration. Can be either: + * - An object with selectHandler, selectClasses, selectText, isLoading (legacy) + * - A ReactNode for custom selection component + * @example + * // Legacy usage + * selection={{ selectHandler: () => {}, selectText: 'Confirm' }} + * @example + * // Custom component + * selection={} + */ + selection?: SelectionProps | ReactNode; className?: string; overlayClassName?: string; headerClassName?: string; @@ -49,14 +75,39 @@ const OGDialogTemplate = forwardRef((props: DialogTemplateProps, ref: Ref + {isLoading === true ? ( + + ) : ( + (selectText as React.JSX.Element) + )} + + ); + } else if (selection) { + selectionContent = selection; + } + return (
{main != null ? main : null}
-
- {leftButtons != null ? ( -
- {leftButtons} -
- ) : null} -
-
- {showCancelButton && ( - - - - )} - {buttons != null ? buttons : null} - {selection ? ( - - {isLoading === true ? ( - - ) : ( - (selectText as React.JSX.Element) - )} - - ) : null} -
+ {leftButtons != null ? ( +
{leftButtons}
+ ) : null} + {showCancelButton && ( + + + + )} + {buttons != null ? buttons : null} + {selectionContent} ); diff --git a/packages/client/src/components/Radio.tsx b/packages/client/src/components/Radio.tsx index b4c9c21259..2f52387981 100644 --- a/packages/client/src/components/Radio.tsx +++ b/packages/client/src/components/Radio.tsx @@ -14,6 +14,7 @@ interface RadioProps { disabled?: boolean; className?: string; fullWidth?: boolean; + 'aria-labelledby'?: string; } const Radio = memo(function Radio({ @@ -23,6 +24,7 @@ const Radio = memo(function Radio({ disabled = false, className = '', fullWidth = false, + 'aria-labelledby': ariaLabelledBy, }: RadioProps) { const localize = useLocalize(); const buttonRefs = useRef<(HTMLButtonElement | null)[]>([]); @@ -79,6 +81,7 @@ const Radio = memo(function Radio({
{localize('com_ui_no_options')} @@ -93,6 +96,7 @@ const Radio = memo(function Radio({
{selectedIndex >= 0 && isMounted && (
Date: Wed, 11 Feb 2026 22:09:58 -0500 Subject: [PATCH 06/55] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20fix:=20Implement?= =?UTF-8?q?=20TOCTOU-Safe=20SSRF=20Protection=20for=20Actions=20and=20MCP?= =?UTF-8?q?=20(#11722)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * refactor: better SSRF Protection in Action and Tool Services - Added `createSSRFSafeAgents` function to create HTTP/HTTPS agents that block connections to private/reserved IP addresses, enhancing security against SSRF attacks. - Updated `createActionTool` to accept a `useSSRFProtection` parameter, allowing the use of SSRF-safe agents during tool execution. - Modified `processRequiredActions` and `loadAgentTools` to utilize the new SSRF protection feature based on allowed domains configuration. - Introduced `resolveHostnameSSRF` function to validate resolved IPs against private ranges, preventing potential SSRF vulnerabilities. - Enhanced tests for domain resolution and private IP detection to ensure robust SSRF protection mechanisms are in place. * feat: Implement SSRF protection in MCP connections - Added `createSSRFSafeUndiciConnect` function to provide SSRF-safe DNS lookup options for undici agents. - Updated `MCPConnection`, `MCPConnectionFactory`, and `ConnectionsRepository` to include `useSSRFProtection` parameter, enabling SSRF protection based on server configuration. - Enhanced `MCPManager` and `UserConnectionManager` to utilize SSRF protection when establishing connections. - Updated tests to validate the integration of SSRF protection across various components, ensuring robust security measures are in place. * refactor: WS MCPConnection with SSRF protection and async transport construction - Added `resolveHostnameSSRF` to validate WebSocket hostnames against private IP addresses, enhancing SSRF protection. - Updated `constructTransport` method to be asynchronous, ensuring proper handling of SSRF checks before establishing connections. - Improved error handling for WebSocket transport to prevent connections to potentially unsafe addresses. * test: Enhance ActionRequest tests for SSRF-safe agent passthrough - Added tests to verify that httpAgent and httpsAgent are correctly passed to axios.create when provided in ActionRequest. - Included scenarios to ensure agents are not included when no options are specified. - Enhanced coverage for POST requests to confirm agent passthrough functionality. - Improved overall test robustness for SSRF protection in ActionRequest execution. --- api/server/services/ActionService.js | 6 +- api/server/services/ToolService.js | 5 + packages/api/src/auth/agent.spec.ts | 113 +++++++++++++ packages/api/src/auth/agent.ts | 61 +++++++ packages/api/src/auth/domain.spec.ts | 159 ++++++++++++++++++ packages/api/src/auth/domain.ts | 135 ++++++++++----- packages/api/src/auth/index.ts | 1 + packages/api/src/mcp/ConnectionsRepository.ts | 1 + packages/api/src/mcp/MCPConnectionFactory.ts | 5 + packages/api/src/mcp/MCPManager.ts | 3 +- packages/api/src/mcp/UserConnectionManager.ts | 1 + .../__tests__/ConnectionsRepository.test.ts | 4 + .../__tests__/MCPConnectionFactory.test.ts | 3 + .../api/src/mcp/__tests__/MCPManager.test.ts | 1 + packages/api/src/mcp/connection.ts | 21 ++- .../src/mcp/registry/MCPServerInspector.ts | 5 +- .../src/mcp/registry/MCPServersRegistry.ts | 9 + .../__tests__/MCPServerInspector.test.ts | 1 + packages/api/src/mcp/types/index.ts | 1 + packages/data-provider/specs/actions.spec.ts | 76 +++++++++ packages/data-provider/src/actions.ts | 9 +- 21 files changed, 567 insertions(+), 53 deletions(-) create mode 100644 packages/api/src/auth/agent.spec.ts create mode 100644 packages/api/src/auth/agent.ts diff --git a/api/server/services/ActionService.js b/api/server/services/ActionService.js index 132f6f4686..5e96726a46 100644 --- a/api/server/services/ActionService.js +++ b/api/server/services/ActionService.js @@ -8,6 +8,7 @@ const { logAxiosError, refreshAccessToken, GenerationJobManager, + createSSRFSafeAgents, } = require('@librechat/api'); const { Time, @@ -133,6 +134,7 @@ async function loadActionSets(searchParams) { * @param {import('zod').ZodTypeAny | undefined} [params.zodSchema] - The Zod schema for tool input validation/definition * @param {{ oauth_client_id?: string; oauth_client_secret?: string; }} params.encrypted - The encrypted values for the action. * @param {string | null} [params.streamId] - The stream ID for resumable streams. + * @param {boolean} [params.useSSRFProtection] - When true, uses SSRF-safe HTTP agents that validate resolved IPs at connect time. * @returns { Promise unknown}> } An object with `_call` method to execute the tool input. */ async function createActionTool({ @@ -145,7 +147,9 @@ async function createActionTool({ description, encrypted, streamId = null, + useSSRFProtection = false, }) { + const ssrfAgents = useSSRFProtection ? createSSRFSafeAgents() : undefined; /** @type {(toolInput: Object | string, config: GraphRunnableConfig) => Promise} */ const _call = async (toolInput, config) => { try { @@ -324,7 +328,7 @@ async function createActionTool({ } } - const response = await preparedExecutor.execute(); + const response = await preparedExecutor.execute(ssrfAgents); if (typeof response.data === 'object') { return JSON.stringify(response.data); diff --git a/api/server/services/ToolService.js b/api/server/services/ToolService.js index fe7a0f40c2..7f8c1d0460 100644 --- a/api/server/services/ToolService.js +++ b/api/server/services/ToolService.js @@ -338,6 +338,7 @@ async function processRequiredActions(client, requiredActions) { } // We've already decrypted the metadata, so we can pass it directly + const _allowedDomains = appConfig?.actions?.allowedDomains; tool = await createActionTool({ userId: client.req.user.id, res: client.res, @@ -345,6 +346,7 @@ async function processRequiredActions(client, requiredActions) { requestBuilder, // Note: intentionally not passing zodSchema, name, and description for assistants API encrypted, // Pass the encrypted values for OAuth flow + useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0, }); if (!tool) { logger.warn( @@ -1064,6 +1066,7 @@ async function loadAgentTools({ const zodSchema = zodSchemas[functionName]; if (requestBuilder) { + const _allowedDomains = appConfig?.actions?.allowedDomains; const tool = await createActionTool({ userId: req.user.id, res, @@ -1074,6 +1077,7 @@ async function loadAgentTools({ name: toolName, description: functionSig.description, streamId, + useSSRFProtection: !Array.isArray(_allowedDomains) || _allowedDomains.length === 0, }); if (!tool) { @@ -1372,6 +1376,7 @@ async function loadActionToolsForExecution({ requestBuilder, name: toolName, description: functionSig?.description ?? '', + useSSRFProtection: !Array.isArray(allowedDomains) || allowedDomains.length === 0, }); if (!tool) { diff --git a/packages/api/src/auth/agent.spec.ts b/packages/api/src/auth/agent.spec.ts new file mode 100644 index 0000000000..9ab2a9aaf9 --- /dev/null +++ b/packages/api/src/auth/agent.spec.ts @@ -0,0 +1,113 @@ +jest.mock('node:dns', () => { + const actual = jest.requireActual('node:dns'); + return { + ...actual, + lookup: jest.fn(), + }; +}); + +import dns from 'node:dns'; +import { createSSRFSafeAgents, createSSRFSafeUndiciConnect } from './agent'; + +type LookupCallback = (err: NodeJS.ErrnoException | null, address: string, family: number) => void; + +const mockedDnsLookup = dns.lookup as jest.MockedFunction; + +function mockDnsResult(address: string, family: number): void { + mockedDnsLookup.mockImplementation((( + _hostname: string, + _options: unknown, + callback: LookupCallback, + ) => { + callback(null, address, family); + }) as never); +} + +function mockDnsError(err: NodeJS.ErrnoException): void { + mockedDnsLookup.mockImplementation((( + _hostname: string, + _options: unknown, + callback: LookupCallback, + ) => { + callback(err, '', 0); + }) as never); +} + +describe('createSSRFSafeAgents', () => { + afterEach(() => { + jest.clearAllMocks(); + }); + + it('should return httpAgent and httpsAgent', () => { + const agents = createSSRFSafeAgents(); + expect(agents.httpAgent).toBeDefined(); + expect(agents.httpsAgent).toBeDefined(); + }); + + it('should patch httpAgent createConnection to inject SSRF lookup', () => { + const agents = createSSRFSafeAgents(); + const internal = agents.httpAgent as unknown as { + createConnection: (opts: Record) => unknown; + }; + expect(internal.createConnection).toBeInstanceOf(Function); + }); +}); + +describe('createSSRFSafeUndiciConnect', () => { + afterEach(() => { + jest.clearAllMocks(); + }); + + it('should return an object with a lookup function', () => { + const connect = createSSRFSafeUndiciConnect(); + expect(connect).toHaveProperty('lookup'); + expect(connect.lookup).toBeInstanceOf(Function); + }); + + it('lookup should block private IPs', async () => { + mockDnsResult('10.0.0.1', 4); + const connect = createSSRFSafeUndiciConnect(); + + const result = await new Promise<{ err: NodeJS.ErrnoException | null }>((resolve) => { + connect.lookup('evil.example.com', {}, (err) => { + resolve({ err }); + }); + }); + + expect(result.err).toBeTruthy(); + expect(result.err!.code).toBe('ESSRF'); + }); + + it('lookup should allow public IPs', async () => { + mockDnsResult('93.184.216.34', 4); + const connect = createSSRFSafeUndiciConnect(); + + const result = await new Promise<{ err: NodeJS.ErrnoException | null; address: string }>( + (resolve) => { + connect.lookup('example.com', {}, (err, address) => { + resolve({ err, address: address as string }); + }); + }, + ); + + expect(result.err).toBeNull(); + expect(result.address).toBe('93.184.216.34'); + }); + + it('lookup should forward DNS errors', async () => { + const dnsError = Object.assign(new Error('ENOTFOUND'), { + code: 'ENOTFOUND', + }) as NodeJS.ErrnoException; + mockDnsError(dnsError); + const connect = createSSRFSafeUndiciConnect(); + + const result = await new Promise<{ err: NodeJS.ErrnoException | null }>((resolve) => { + connect.lookup('nonexistent.example.com', {}, (err) => { + resolve({ err }); + }); + }); + + expect(result.err).toBeTruthy(); + expect(result.err!.code).toBe('ENOTFOUND'); + }); +}); diff --git a/packages/api/src/auth/agent.ts b/packages/api/src/auth/agent.ts new file mode 100644 index 0000000000..2442aa20fa --- /dev/null +++ b/packages/api/src/auth/agent.ts @@ -0,0 +1,61 @@ +import dns from 'node:dns'; +import http from 'node:http'; +import https from 'node:https'; +import type { LookupFunction } from 'node:net'; +import { isPrivateIP } from './domain'; + +/** DNS lookup wrapper that blocks resolution to private/reserved IP addresses */ +const ssrfSafeLookup: LookupFunction = (hostname, options, callback) => { + dns.lookup(hostname, options, (err, address, family) => { + if (err) { + callback(err, '', 0); + return; + } + if (typeof address === 'string' && isPrivateIP(address)) { + const ssrfError = Object.assign( + new Error(`SSRF protection: ${hostname} resolved to blocked address ${address}`), + { code: 'ESSRF' }, + ) as NodeJS.ErrnoException; + callback(ssrfError, address, family as number); + return; + } + callback(null, address as string, family as number); + }); +}; + +/** Internal agent shape exposing createConnection (exists at runtime but not in TS types) */ +type AgentInternal = { + createConnection: (options: Record, oncreate?: unknown) => unknown; +}; + +/** Patches an agent instance to inject SSRF-safe DNS lookup at connect time */ +function withSSRFProtection(agent: T): T { + const internal = agent as unknown as AgentInternal; + const origCreate = internal.createConnection.bind(agent); + internal.createConnection = (options: Record, oncreate?: unknown) => { + options.lookup = ssrfSafeLookup; + return origCreate(options, oncreate); + }; + return agent; +} + +/** + * Creates HTTP and HTTPS agents that block TCP connections to private/reserved IP addresses. + * Provides TOCTOU-safe SSRF protection by validating the resolved IP at connect time, + * preventing DNS rebinding attacks where a hostname resolves to a public IP during + * pre-validation but to a private IP when the actual connection is made. + */ +export function createSSRFSafeAgents(): { httpAgent: http.Agent; httpsAgent: https.Agent } { + return { + httpAgent: withSSRFProtection(new http.Agent()), + httpsAgent: withSSRFProtection(new https.Agent()), + }; +} + +/** + * Returns undici-compatible `connect` options with SSRF-safe DNS lookup. + * Pass the result as the `connect` property when constructing an undici `Agent`. + */ +export function createSSRFSafeUndiciConnect(): { lookup: LookupFunction } { + return { lookup: ssrfSafeLookup }; +} diff --git a/packages/api/src/auth/domain.spec.ts b/packages/api/src/auth/domain.spec.ts index a2b4c42cd7..5f6187c9b4 100644 --- a/packages/api/src/auth/domain.spec.ts +++ b/packages/api/src/auth/domain.spec.ts @@ -1,12 +1,21 @@ /* eslint-disable @typescript-eslint/ban-ts-comment */ +jest.mock('node:dns/promises', () => ({ + lookup: jest.fn(), +})); + +import { lookup } from 'node:dns/promises'; import { extractMCPServerDomain, isActionDomainAllowed, isEmailDomainAllowed, isMCPDomainAllowed, + isPrivateIP, isSSRFTarget, + resolveHostnameSSRF, } from './domain'; +const mockedLookup = lookup as jest.MockedFunction; + describe('isEmailDomainAllowed', () => { afterEach(() => { jest.clearAllMocks(); @@ -192,7 +201,154 @@ describe('isSSRFTarget', () => { }); }); +describe('isPrivateIP', () => { + describe('IPv4 private ranges', () => { + it('should detect loopback addresses', () => { + expect(isPrivateIP('127.0.0.1')).toBe(true); + expect(isPrivateIP('127.255.255.255')).toBe(true); + }); + + it('should detect 10.x.x.x private range', () => { + expect(isPrivateIP('10.0.0.1')).toBe(true); + expect(isPrivateIP('10.255.255.255')).toBe(true); + }); + + it('should detect 172.16-31.x.x private range', () => { + expect(isPrivateIP('172.16.0.1')).toBe(true); + expect(isPrivateIP('172.31.255.255')).toBe(true); + expect(isPrivateIP('172.15.0.1')).toBe(false); + expect(isPrivateIP('172.32.0.1')).toBe(false); + }); + + it('should detect 192.168.x.x private range', () => { + expect(isPrivateIP('192.168.0.1')).toBe(true); + expect(isPrivateIP('192.168.255.255')).toBe(true); + }); + + it('should detect 169.254.x.x link-local range', () => { + expect(isPrivateIP('169.254.169.254')).toBe(true); + expect(isPrivateIP('169.254.0.1')).toBe(true); + }); + + it('should detect 0.0.0.0', () => { + expect(isPrivateIP('0.0.0.0')).toBe(true); + }); + + it('should allow public IPs', () => { + expect(isPrivateIP('8.8.8.8')).toBe(false); + expect(isPrivateIP('1.1.1.1')).toBe(false); + expect(isPrivateIP('93.184.216.34')).toBe(false); + }); + }); + + describe('IPv6 private ranges', () => { + it('should detect loopback', () => { + expect(isPrivateIP('::1')).toBe(true); + expect(isPrivateIP('::')).toBe(true); + expect(isPrivateIP('[::1]')).toBe(true); + }); + + it('should detect unique local (fc/fd) and link-local (fe80)', () => { + expect(isPrivateIP('fc00::1')).toBe(true); + expect(isPrivateIP('fd00::1')).toBe(true); + expect(isPrivateIP('fe80::1')).toBe(true); + }); + }); + + describe('IPv4-mapped IPv6 addresses', () => { + it('should detect private IPs in IPv4-mapped IPv6 form', () => { + expect(isPrivateIP('::ffff:169.254.169.254')).toBe(true); + expect(isPrivateIP('::ffff:127.0.0.1')).toBe(true); + expect(isPrivateIP('::ffff:10.0.0.1')).toBe(true); + expect(isPrivateIP('::ffff:192.168.1.1')).toBe(true); + }); + + it('should allow public IPs in IPv4-mapped IPv6 form', () => { + expect(isPrivateIP('::ffff:8.8.8.8')).toBe(false); + expect(isPrivateIP('::ffff:93.184.216.34')).toBe(false); + }); + }); +}); + +describe('resolveHostnameSSRF', () => { + afterEach(() => { + jest.clearAllMocks(); + }); + + it('should detect domains that resolve to private IPs (nip.io bypass)', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '169.254.169.254', family: 4 }] as never); + expect(await resolveHostnameSSRF('169.254.169.254.nip.io')).toBe(true); + }); + + it('should detect domains that resolve to loopback', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '127.0.0.1', family: 4 }] as never); + expect(await resolveHostnameSSRF('loopback.example.com')).toBe(true); + }); + + it('should detect when any resolved address is private', async () => { + mockedLookup.mockResolvedValueOnce([ + { address: '93.184.216.34', family: 4 }, + { address: '10.0.0.1', family: 4 }, + ] as never); + expect(await resolveHostnameSSRF('dual.example.com')).toBe(true); + }); + + it('should allow domains that resolve to public IPs', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '93.184.216.34', family: 4 }] as never); + expect(await resolveHostnameSSRF('example.com')).toBe(false); + }); + + it('should skip literal IPv4 addresses (handled by isSSRFTarget)', async () => { + expect(await resolveHostnameSSRF('169.254.169.254')).toBe(false); + expect(mockedLookup).not.toHaveBeenCalled(); + }); + + it('should skip literal IPv6 addresses', async () => { + expect(await resolveHostnameSSRF('::1')).toBe(false); + expect(mockedLookup).not.toHaveBeenCalled(); + }); + + it('should fail open on DNS resolution failure', async () => { + mockedLookup.mockRejectedValueOnce(new Error('ENOTFOUND')); + expect(await resolveHostnameSSRF('nonexistent.example.com')).toBe(false); + }); +}); + +describe('isActionDomainAllowed - DNS resolution SSRF protection', () => { + afterEach(() => { + jest.clearAllMocks(); + }); + + it('should block domains resolving to cloud metadata IP (169.254.169.254)', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '169.254.169.254', family: 4 }] as never); + expect(await isActionDomainAllowed('169.254.169.254.nip.io', null)).toBe(false); + }); + + it('should block domains resolving to private 10.x range', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '10.0.0.5', family: 4 }] as never); + expect(await isActionDomainAllowed('internal.attacker.com', null)).toBe(false); + }); + + it('should block domains resolving to 172.16.x range', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '172.16.0.1', family: 4 }] as never); + expect(await isActionDomainAllowed('docker.attacker.com', null)).toBe(false); + }); + + it('should allow domains resolving to public IPs when no allowlist', async () => { + mockedLookup.mockResolvedValueOnce([{ address: '93.184.216.34', family: 4 }] as never); + expect(await isActionDomainAllowed('example.com', null)).toBe(true); + }); + + it('should not perform DNS check when allowedDomains is configured', async () => { + expect(await isActionDomainAllowed('example.com', ['example.com'])).toBe(true); + expect(mockedLookup).not.toHaveBeenCalled(); + }); +}); + describe('isActionDomainAllowed', () => { + beforeEach(() => { + mockedLookup.mockResolvedValue([{ address: '93.184.216.34', family: 4 }] as never); + }); afterEach(() => { jest.clearAllMocks(); }); @@ -541,6 +697,9 @@ describe('extractMCPServerDomain', () => { }); describe('isMCPDomainAllowed', () => { + beforeEach(() => { + mockedLookup.mockResolvedValue([{ address: '93.184.216.34', family: 4 }] as never); + }); afterEach(() => { jest.clearAllMocks(); }); diff --git a/packages/api/src/auth/domain.ts b/packages/api/src/auth/domain.ts index 5d9fc51d02..f2e86875d4 100644 --- a/packages/api/src/auth/domain.ts +++ b/packages/api/src/auth/domain.ts @@ -1,3 +1,5 @@ +import { lookup } from 'node:dns/promises'; + /** * @param email * @param allowedDomains @@ -22,6 +24,88 @@ export function isEmailDomainAllowed(email: string, allowedDomains?: string[] | return allowedDomains.some((allowedDomain) => allowedDomain?.toLowerCase() === domain); } +/** Checks if IPv4 octets fall within private, reserved, or link-local ranges */ +function isPrivateIPv4(a: number, b: number, c: number): boolean { + if (a === 127) { + return true; + } + if (a === 10) { + return true; + } + if (a === 172 && b >= 16 && b <= 31) { + return true; + } + if (a === 192 && b === 168) { + return true; + } + if (a === 169 && b === 254) { + return true; + } + if (a === 0 && b === 0 && c === 0) { + return true; + } + return false; +} + +/** + * Checks if an IP address belongs to a private, reserved, or link-local range. + * Handles IPv4, IPv6, and IPv4-mapped IPv6 addresses (::ffff:A.B.C.D). + */ +export function isPrivateIP(ip: string): boolean { + const normalized = ip.toLowerCase().trim(); + + const mappedMatch = normalized.match(/^::ffff:(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); + if (mappedMatch) { + const [, a, b, c] = mappedMatch.map(Number); + return isPrivateIPv4(a, b, c); + } + + const ipv4Match = normalized.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); + if (ipv4Match) { + const [, a, b, c] = ipv4Match.map(Number); + return isPrivateIPv4(a, b, c); + } + + const ipv6 = normalized.replace(/^\[|\]$/g, ''); + if ( + ipv6 === '::1' || + ipv6 === '::' || + ipv6.startsWith('fc') || + ipv6.startsWith('fd') || + ipv6.startsWith('fe80') + ) { + return true; + } + + return false; +} + +/** + * Resolves a hostname via DNS and checks if any resolved address is a private/reserved IP. + * Detects DNS-based SSRF bypasses (e.g., nip.io wildcard DNS, attacker-controlled nameservers). + * Fails open: returns false if DNS resolution fails, since hostname-only checks still apply + * and the actual HTTP request would also fail. + */ +export async function resolveHostnameSSRF(hostname: string): Promise { + const normalizedHost = hostname.toLowerCase().trim(); + + if (/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.test(normalizedHost)) { + return false; + } + + const ipv6Check = normalizedHost.replace(/^\[|\]$/g, ''); + if (ipv6Check.includes(':')) { + return false; + } + + try { + const addresses = await lookup(hostname, { all: true }); + return addresses.some((entry) => isPrivateIP(entry.address)); + } catch { + return false; + } +} + /** * SSRF Protection: Checks if a hostname/IP is a potentially dangerous internal target. * Blocks private IPs, localhost, cloud metadata IPs, and common internal hostnames. @@ -31,7 +115,6 @@ export function isEmailDomainAllowed(email: string, allowedDomains?: string[] | export function isSSRFTarget(hostname: string): boolean { const normalizedHost = hostname.toLowerCase().trim(); - // Block localhost variations if ( normalizedHost === 'localhost' || normalizedHost === 'localhost.localdomain' || @@ -40,51 +123,7 @@ export function isSSRFTarget(hostname: string): boolean { return true; } - // Check if it's an IP address and block private/internal ranges - const ipv4Match = normalizedHost.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); - if (ipv4Match) { - const [, a, b, c] = ipv4Match.map(Number); - - // 127.0.0.0/8 - Loopback - if (a === 127) { - return true; - } - - // 10.0.0.0/8 - Private - if (a === 10) { - return true; - } - - // 172.16.0.0/12 - Private (172.16.x.x - 172.31.x.x) - if (a === 172 && b >= 16 && b <= 31) { - return true; - } - - // 192.168.0.0/16 - Private - if (a === 192 && b === 168) { - return true; - } - - // 169.254.0.0/16 - Link-local (includes cloud metadata 169.254.169.254) - if (a === 169 && b === 254) { - return true; - } - - // 0.0.0.0 - Special - if (a === 0 && b === 0 && c === 0) { - return true; - } - } - - // IPv6 loopback and private ranges - const ipv6Normalized = normalizedHost.replace(/^\[|\]$/g, ''); // Remove brackets if present - if ( - ipv6Normalized === '::1' || - ipv6Normalized === '::' || - ipv6Normalized.startsWith('fc') || // fc00::/7 - Unique local - ipv6Normalized.startsWith('fd') || // fd00::/8 - Unique local - ipv6Normalized.startsWith('fe80') // fe80::/10 - Link-local - ) { + if (isPrivateIP(normalizedHost)) { return true; } @@ -257,6 +296,10 @@ async function isDomainAllowedCore( if (isSSRFTarget(inputSpec.hostname)) { return false; } + /** SECURITY: Resolve hostname and block if it points to a private/reserved IP */ + if (await resolveHostnameSSRF(inputSpec.hostname)) { + return false; + } return true; } diff --git a/packages/api/src/auth/index.ts b/packages/api/src/auth/index.ts index d15d94aad2..392605ef50 100644 --- a/packages/api/src/auth/index.ts +++ b/packages/api/src/auth/index.ts @@ -1,3 +1,4 @@ export * from './domain'; export * from './openid'; export * from './exchange'; +export * from './agent'; diff --git a/packages/api/src/mcp/ConnectionsRepository.ts b/packages/api/src/mcp/ConnectionsRepository.ts index e2c48c88ab..49d0799085 100644 --- a/packages/api/src/mcp/ConnectionsRepository.ts +++ b/packages/api/src/mcp/ConnectionsRepository.ts @@ -73,6 +73,7 @@ export class ConnectionsRepository { { serverName, serverConfig, + useSSRFProtection: MCPServersRegistry.getInstance().shouldEnableSSRFProtection(), }, this.oauthOpts, ); diff --git a/packages/api/src/mcp/MCPConnectionFactory.ts b/packages/api/src/mcp/MCPConnectionFactory.ts index bcc63b7500..748cd0a967 100644 --- a/packages/api/src/mcp/MCPConnectionFactory.ts +++ b/packages/api/src/mcp/MCPConnectionFactory.ts @@ -29,6 +29,7 @@ export class MCPConnectionFactory { protected readonly serverConfig: t.MCPOptions; protected readonly logPrefix: string; protected readonly useOAuth: boolean; + protected readonly useSSRFProtection: boolean; // OAuth-related properties (only set when useOAuth is true) protected readonly userId?: string; @@ -72,6 +73,7 @@ export class MCPConnectionFactory { serverConfig: this.serverConfig, userId: this.userId, oauthTokens, + useSSRFProtection: this.useSSRFProtection, }); const oauthHandler = async () => { @@ -146,6 +148,7 @@ export class MCPConnectionFactory { serverConfig: this.serverConfig, userId: this.userId, oauthTokens: null, + useSSRFProtection: this.useSSRFProtection, }); unauthConnection.on('oauthRequired', () => { @@ -189,6 +192,7 @@ export class MCPConnectionFactory { }); this.serverName = basic.serverName; this.useOAuth = !!oauth?.useOAuth; + this.useSSRFProtection = basic.useSSRFProtection === true; this.connectionTimeout = oauth?.connectionTimeout; this.logPrefix = oauth?.user ? `[MCP][${basic.serverName}][${oauth.user.id}]` @@ -213,6 +217,7 @@ export class MCPConnectionFactory { serverConfig: this.serverConfig, userId: this.userId, oauthTokens, + useSSRFProtection: this.useSSRFProtection, }); let cleanupOAuthHandlers: (() => void) | null = null; diff --git a/packages/api/src/mcp/MCPManager.ts b/packages/api/src/mcp/MCPManager.ts index 211382c032..cab495774a 100644 --- a/packages/api/src/mcp/MCPManager.ts +++ b/packages/api/src/mcp/MCPManager.ts @@ -102,7 +102,8 @@ export class MCPManager extends UserConnectionManager { serverConfig.requiresOAuth || (serverConfig as t.ParsedServerConfig).oauthMetadata, ); - const basic: t.BasicConnectionOptions = { serverName, serverConfig }; + const useSSRFProtection = MCPServersRegistry.getInstance().shouldEnableSSRFProtection(); + const basic: t.BasicConnectionOptions = { serverName, serverConfig, useSSRFProtection }; if (!useOAuth) { const result = await MCPConnectionFactory.discoverTools(basic); diff --git a/packages/api/src/mcp/UserConnectionManager.ts b/packages/api/src/mcp/UserConnectionManager.ts index 25fc753d6b..e5d94689a0 100644 --- a/packages/api/src/mcp/UserConnectionManager.ts +++ b/packages/api/src/mcp/UserConnectionManager.ts @@ -117,6 +117,7 @@ export abstract class UserConnectionManager { { serverName: serverName, serverConfig: config, + useSSRFProtection: MCPServersRegistry.getInstance().shouldEnableSSRFProtection(), }, { useOAuth: true, diff --git a/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts b/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts index e722b38375..4240ba12d6 100644 --- a/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts +++ b/packages/api/src/mcp/__tests__/ConnectionsRepository.test.ts @@ -24,6 +24,7 @@ jest.mock('../connection'); const mockRegistryInstance = { getServerConfig: jest.fn(), getAllServerConfigs: jest.fn(), + shouldEnableSSRFProtection: jest.fn().mockReturnValue(false), }; jest.mock('../registry/MCPServersRegistry', () => ({ @@ -108,6 +109,7 @@ describe('ConnectionsRepository', () => { { serverName: 'server1', serverConfig: mockServerConfigs.server1, + useSSRFProtection: false, }, undefined, ); @@ -129,6 +131,7 @@ describe('ConnectionsRepository', () => { { serverName: 'server1', serverConfig: mockServerConfigs.server1, + useSSRFProtection: false, }, undefined, ); @@ -167,6 +170,7 @@ describe('ConnectionsRepository', () => { { serverName: 'server1', serverConfig: configWithCachedAt, + useSSRFProtection: false, }, undefined, ); diff --git a/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts b/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts index 0986188e04..9f824bce23 100644 --- a/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts +++ b/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts @@ -84,6 +84,7 @@ describe('MCPConnectionFactory', () => { serverConfig: mockServerConfig, userId: undefined, oauthTokens: null, + useSSRFProtection: false, }); expect(mockConnectionInstance.connect).toHaveBeenCalled(); }); @@ -125,6 +126,7 @@ describe('MCPConnectionFactory', () => { serverConfig: mockServerConfig, userId: 'user123', oauthTokens: mockTokens, + useSSRFProtection: false, }); }); }); @@ -184,6 +186,7 @@ describe('MCPConnectionFactory', () => { serverConfig: mockServerConfig, userId: 'user123', oauthTokens: null, + useSSRFProtection: false, }); expect(mockLogger.debug).toHaveBeenCalledWith( expect.stringContaining('No existing tokens found or error loading tokens'), diff --git a/packages/api/src/mcp/__tests__/MCPManager.test.ts b/packages/api/src/mcp/__tests__/MCPManager.test.ts index caeb9176d3..bf63a6af3c 100644 --- a/packages/api/src/mcp/__tests__/MCPManager.test.ts +++ b/packages/api/src/mcp/__tests__/MCPManager.test.ts @@ -33,6 +33,7 @@ const mockRegistryInstance = { getServerConfig: jest.fn(), getAllServerConfigs: jest.fn(), getOAuthServers: jest.fn(), + shouldEnableSSRFProtection: jest.fn().mockReturnValue(false), }; jest.mock('~/mcp/registry/MCPServersRegistry', () => ({ diff --git a/packages/api/src/mcp/connection.ts b/packages/api/src/mcp/connection.ts index b954a2e839..74891dbd15 100644 --- a/packages/api/src/mcp/connection.ts +++ b/packages/api/src/mcp/connection.ts @@ -20,6 +20,7 @@ import type { import type { MCPOAuthTokens } from './oauth/types'; import { withTimeout } from '~/utils/promise'; import type * as t from './types'; +import { createSSRFSafeUndiciConnect, resolveHostnameSSRF } from '~/auth'; import { sanitizeUrlForLogging } from './utils'; import { mcpConfig } from './mcpConfig'; @@ -213,6 +214,7 @@ interface MCPConnectionParams { serverConfig: t.MCPOptions; userId?: string; oauthTokens?: MCPOAuthTokens | null; + useSSRFProtection?: boolean; } export class MCPConnection extends EventEmitter { @@ -233,6 +235,7 @@ export class MCPConnection extends EventEmitter { private oauthTokens?: MCPOAuthTokens | null; private requestHeaders?: Record | null; private oauthRequired = false; + private readonly useSSRFProtection: boolean; iconPath?: string; timeout?: number; url?: string; @@ -263,6 +266,7 @@ export class MCPConnection extends EventEmitter { this.options = params.serverConfig; this.serverName = params.serverName; this.userId = params.userId; + this.useSSRFProtection = params.useSSRFProtection === true; this.iconPath = params.serverConfig.iconPath; this.timeout = params.serverConfig.timeout; this.lastPingTime = Date.now(); @@ -301,6 +305,7 @@ export class MCPConnection extends EventEmitter { getHeaders: () => Record | null | undefined, timeout?: number, ): (input: UndiciRequestInfo, init?: UndiciRequestInit) => Promise { + const ssrfConnect = this.useSSRFProtection ? createSSRFSafeUndiciConnect() : undefined; return function customFetch( input: UndiciRequestInfo, init?: UndiciRequestInit, @@ -310,6 +315,7 @@ export class MCPConnection extends EventEmitter { const agent = new Agent({ bodyTimeout: effectiveTimeout, headersTimeout: effectiveTimeout, + ...(ssrfConnect != null ? { connect: ssrfConnect } : {}), }); if (!requestHeaders) { return undiciFetch(input, { ...init, dispatcher: agent }); @@ -342,7 +348,7 @@ export class MCPConnection extends EventEmitter { logger.error(`${this.getLogPrefix()} ${errorContext}: ${errorMessage}`); } - private constructTransport(options: t.MCPOptions): Transport { + private async constructTransport(options: t.MCPOptions): Promise { try { let type: t.MCPOptions['type']; if (isStdioOptions(options)) { @@ -378,6 +384,15 @@ export class MCPConnection extends EventEmitter { throw new Error('Invalid options for websocket transport.'); } this.url = options.url; + if (this.useSSRFProtection) { + const wsHostname = new URL(options.url).hostname; + const isSSRF = await resolveHostnameSSRF(wsHostname); + if (isSSRF) { + throw new Error( + `SSRF protection: WebSocket host "${wsHostname}" resolved to a private/reserved IP address`, + ); + } + } return new WebSocketClientTransport(new URL(options.url)); case 'sse': { @@ -402,6 +417,7 @@ export class MCPConnection extends EventEmitter { * The connect timeout is extended because proxies may delay initial response. */ const sseTimeout = this.timeout || SSE_CONNECT_TIMEOUT; + const ssrfConnect = this.useSSRFProtection ? createSSRFSafeUndiciConnect() : undefined; const transport = new SSEClientTransport(url, { requestInit: { /** User/OAuth headers override SSE defaults */ @@ -420,6 +436,7 @@ export class MCPConnection extends EventEmitter { /** Extended keep-alive for long-lived SSE connections */ keepAliveTimeout: sseTimeout, keepAliveMaxTimeout: sseTimeout * 2, + ...(ssrfConnect != null ? { connect: ssrfConnect } : {}), }); return undiciFetch(url, { ...init, @@ -629,7 +646,7 @@ export class MCPConnection extends EventEmitter { } } - this.transport = this.constructTransport(this.options); + this.transport = await this.constructTransport(this.options); this.setupTransportDebugHandlers(); const connectTimeout = this.options.initTimeout ?? 120000; diff --git a/packages/api/src/mcp/registry/MCPServerInspector.ts b/packages/api/src/mcp/registry/MCPServerInspector.ts index 2263c10422..50da9cdc25 100644 --- a/packages/api/src/mcp/registry/MCPServerInspector.ts +++ b/packages/api/src/mcp/registry/MCPServerInspector.ts @@ -18,6 +18,7 @@ export class MCPServerInspector { private readonly serverName: string, private readonly config: t.ParsedServerConfig, private connection: MCPConnection | undefined, + private readonly useSSRFProtection: boolean = false, ) {} /** @@ -42,8 +43,9 @@ export class MCPServerInspector { throw new MCPDomainNotAllowedError(domain ?? 'unknown'); } + const useSSRFProtection = !Array.isArray(allowedDomains) || allowedDomains.length === 0; const start = Date.now(); - const inspector = new MCPServerInspector(serverName, rawConfig, connection); + const inspector = new MCPServerInspector(serverName, rawConfig, connection, useSSRFProtection); await inspector.inspectServer(); inspector.config.initDuration = Date.now() - start; return inspector.config; @@ -59,6 +61,7 @@ export class MCPServerInspector { this.connection = await MCPConnectionFactory.create({ serverName: this.serverName, serverConfig: this.config, + useSSRFProtection: this.useSSRFProtection, }); } diff --git a/packages/api/src/mcp/registry/MCPServersRegistry.ts b/packages/api/src/mcp/registry/MCPServersRegistry.ts index 801b3957a0..0264a8ed7a 100644 --- a/packages/api/src/mcp/registry/MCPServersRegistry.ts +++ b/packages/api/src/mcp/registry/MCPServersRegistry.ts @@ -77,6 +77,15 @@ export class MCPServersRegistry { return MCPServersRegistry.instance; } + public getAllowedDomains(): string[] | null | undefined { + return this.allowedDomains; + } + + /** Returns true when no explicit allowedDomains allowlist is configured, enabling SSRF TOCTOU protection */ + public shouldEnableSSRFProtection(): boolean { + return !Array.isArray(this.allowedDomains) || this.allowedDomains.length === 0; + } + public async getServerConfig( serverName: string, userId?: string, diff --git a/packages/api/src/mcp/registry/__tests__/MCPServerInspector.test.ts b/packages/api/src/mcp/registry/__tests__/MCPServerInspector.test.ts index 72bf57857e..42dc4d2005 100644 --- a/packages/api/src/mcp/registry/__tests__/MCPServerInspector.test.ts +++ b/packages/api/src/mcp/registry/__tests__/MCPServerInspector.test.ts @@ -276,6 +276,7 @@ describe('MCPServerInspector', () => { expect(MCPConnectionFactory.create).toHaveBeenCalledWith({ serverName: 'test_server', serverConfig: expect.objectContaining({ type: 'stdio', command: 'node' }), + useSSRFProtection: true, }); // Verify temporary connection was disconnected diff --git a/packages/api/src/mcp/types/index.ts b/packages/api/src/mcp/types/index.ts index 46447c6687..270131036b 100644 --- a/packages/api/src/mcp/types/index.ts +++ b/packages/api/src/mcp/types/index.ts @@ -166,6 +166,7 @@ export type AddServerResult = { export interface BasicConnectionOptions { serverName: string; serverConfig: MCPOptions; + useSSRFProtection?: boolean; } export interface OAuthConnectionOptions { diff --git a/packages/data-provider/specs/actions.spec.ts b/packages/data-provider/specs/actions.spec.ts index 08942d5505..59f068586d 100644 --- a/packages/data-provider/specs/actions.spec.ts +++ b/packages/data-provider/specs/actions.spec.ts @@ -459,6 +459,82 @@ describe('ActionRequest', () => { await expect(actionRequest.execute()).rejects.toThrow('Unsupported HTTP method: invalid'); }); + describe('SSRF-safe agent passthrough', () => { + beforeEach(() => { + mockedAxios.get.mockResolvedValue({ data: { success: true } }); + mockedAxios.post.mockResolvedValue({ data: { success: true } }); + }); + + it('should pass httpAgent and httpsAgent to axios.create when provided', async () => { + const mockHttpAgent = { keepAlive: true }; + const mockHttpsAgent = { keepAlive: true }; + + const actionRequest = new ActionRequest( + 'https://example.com', + '/test', + 'GET', + 'testOp', + false, + 'application/json', + ); + const executor = actionRequest.createExecutor(); + executor.setParams({ key: 'value' }); + await executor.execute({ httpAgent: mockHttpAgent, httpsAgent: mockHttpsAgent }); + + expect(mockedAxios.create).toHaveBeenCalledWith( + expect.objectContaining({ + httpAgent: mockHttpAgent, + httpsAgent: mockHttpsAgent, + maxRedirects: 0, + }), + ); + }); + + it('should not include agent keys when no options are provided', async () => { + const actionRequest = new ActionRequest( + 'https://example.com', + '/test', + 'GET', + 'testOp', + false, + 'application/json', + ); + const executor = actionRequest.createExecutor(); + executor.setParams({ key: 'value' }); + await executor.execute(); + + const createArg = mockedAxios.create.mock.calls[ + mockedAxios.create.mock.calls.length - 1 + ][0] as Record; + expect(createArg).not.toHaveProperty('httpAgent'); + expect(createArg).not.toHaveProperty('httpsAgent'); + }); + + it('should pass agents through for POST requests', async () => { + const mockAgent = { ssrf: true }; + + const actionRequest = new ActionRequest( + 'https://example.com', + '/test', + 'POST', + 'testOp', + false, + 'application/json', + ); + const executor = actionRequest.createExecutor(); + executor.setParams({ body: 'data' }); + await executor.execute({ httpAgent: mockAgent, httpsAgent: mockAgent }); + + expect(mockedAxios.create).toHaveBeenCalledWith( + expect.objectContaining({ + httpAgent: mockAgent, + httpsAgent: mockAgent, + }), + ); + expect(mockedAxios.post).toHaveBeenCalled(); + }); + }); + describe('ActionRequest Concurrent Execution', () => { beforeEach(() => { jest.clearAllMocks(); diff --git a/packages/data-provider/src/actions.ts b/packages/data-provider/src/actions.ts index c7566e479f..53c9e8ae1c 100644 --- a/packages/data-provider/src/actions.ts +++ b/packages/data-provider/src/actions.ts @@ -283,7 +283,7 @@ class RequestExecutor { return this; } - async execute() { + async execute(options?: { httpAgent?: unknown; httpsAgent?: unknown }) { const url = createURL(this.config.domain, this.path); const headers: Record = { ...this.authHeaders, @@ -300,10 +300,15 @@ class RequestExecutor { * * By setting maxRedirects: 0, we prevent this attack vector. * The action will receive the redirect response (3xx) instead of following it. + * + * SECURITY: When httpAgent/httpsAgent are provided (SSRF-safe agents), they validate + * the DNS-resolved IP at TCP connect time, preventing TOCTOU DNS rebinding attacks. */ const axios = _axios.create({ maxRedirects: 0, - validateStatus: (status) => status >= 200 && status < 400, // Accept 3xx but don't follow + validateStatus: (status) => status >= 200 && status < 400, + ...(options?.httpAgent != null ? { httpAgent: options.httpAgent } : {}), + ...(options?.httpsAgent != null ? { httpsAgent: options.httpsAgent } : {}), }); // Initialize separate containers for query and body parameters. From 417405a97402e54c0c87a8384071a3b46f1f5715 Mon Sep 17 00:00:00 2001 From: WhammyLeaf Date: Thu, 12 Feb 2026 04:11:05 +0100 Subject: [PATCH 07/55] =?UTF-8?q?=F0=9F=8F=A2=20fix:=20Handle=20Group=20Ov?= =?UTF-8?q?erage=20for=20Azure=20Entra=20Authentication=20(#11557)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit small fix add tests reorder Update api/strategies/openidStrategy.spec.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Update api/strategies/openidStrategy.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> some fixes and fix fix more fixes fix --- api/strategies/openidStrategy.js | 94 +++++++- api/strategies/openidStrategy.spec.js | 310 ++++++++++++++++++++++++++ 2 files changed, 403 insertions(+), 1 deletion(-) diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js index 84458ce992..c937b3dc9e 100644 --- a/api/strategies/openidStrategy.js +++ b/api/strategies/openidStrategy.js @@ -287,6 +287,77 @@ function convertToUsername(input, defaultValue = '') { return defaultValue; } +/** + * Resolve Azure AD groups when group overage is in effect (groups moved to _claim_names/_claim_sources). + * + * NOTE: Microsoft recommends treating _claim_names/_claim_sources as a signal only and using Microsoft Graph + * to resolve group membership instead of calling the endpoint in _claim_sources directly. + * + * @param {string} accessToken - Access token with Microsoft Graph permissions + * @returns {Promise} Resolved group IDs or null on failure + * @see https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#groups-overage-claim + * @see https://learn.microsoft.com/en-us/graph/api/directoryobject-getmemberobjects + */ +async function resolveGroupsFromOverage(accessToken) { + try { + if (!accessToken) { + logger.error('[openidStrategy] Access token missing; cannot resolve group overage'); + return null; + } + + // Use /me/getMemberObjects so least-privileged delegated permission User.Read is sufficient + // when resolving the signed-in user's group membership. + const url = 'https://graph.microsoft.com/v1.0/me/getMemberObjects'; + + logger.debug( + `[openidStrategy] Detected group overage, resolving groups via Microsoft Graph getMemberObjects: ${url}`, + ); + + const fetchOptions = { + method: 'POST', + headers: { + Authorization: `Bearer ${accessToken}`, + 'Content-Type': 'application/json', + }, + body: JSON.stringify({ securityEnabledOnly: false }), + }; + + if (process.env.PROXY) { + const { ProxyAgent } = undici; + fetchOptions.dispatcher = new ProxyAgent(process.env.PROXY); + } + + const response = await undici.fetch(url, fetchOptions); + if (!response.ok) { + logger.error( + `[openidStrategy] Failed to resolve groups via Microsoft Graph getMemberObjects: HTTP ${response.status} ${response.statusText}`, + ); + return null; + } + + const data = await response.json(); + const values = Array.isArray(data?.value) ? data.value : null; + if (!values) { + logger.error( + '[openidStrategy] Unexpected response format when resolving groups via Microsoft Graph getMemberObjects', + ); + return null; + } + const groupIds = values.filter((id) => typeof id === 'string'); + + logger.debug( + `[openidStrategy] Successfully resolved ${groupIds.length} groups via Microsoft Graph getMemberObjects`, + ); + return groupIds; + } catch (err) { + logger.error( + '[openidStrategy] Error resolving groups via Microsoft Graph getMemberObjects:', + err, + ); + return null; + } +} + /** * Process OpenID authentication tokenset and userinfo * This is the core logic extracted from the passport strategy callback @@ -350,6 +421,25 @@ async function processOpenIDAuth(tokenset, existingUsersOnly = false) { } let roles = get(decodedToken, requiredRoleParameterPath); + + // Handle Azure AD group overage for ID token groups: when hasgroups or _claim_* indicate overage, + // resolve groups via Microsoft Graph instead of relying on token group values. + if ( + !Array.isArray(roles) && + typeof roles !== 'string' && + requiredRoleTokenKind === 'id' && + requiredRoleParameterPath === 'groups' && + decodedToken && + (decodedToken.hasgroups || + (decodedToken._claim_names?.groups && + decodedToken._claim_sources?.[decodedToken._claim_names.groups])) + ) { + const overageGroups = await resolveGroupsFromOverage(tokenset.access_token); + if (overageGroups) { + roles = overageGroups; + } + } + if (!roles || (!Array.isArray(roles) && typeof roles !== 'string')) { logger.error( `[openidStrategy] Key '${requiredRoleParameterPath}' not found in ${requiredRoleTokenKind} token!`, @@ -361,7 +451,9 @@ async function processOpenIDAuth(tokenset, existingUsersOnly = false) { throw new Error(`You must have ${rolesList} role to log in.`); } - if (!requiredRoles.some((role) => roles.includes(role))) { + const roleValues = Array.isArray(roles) ? roles : [roles]; + + if (!requiredRoles.some((role) => roleValues.includes(role))) { const rolesList = requiredRoles.length === 1 ? `"${requiredRoles[0]}"` diff --git a/api/strategies/openidStrategy.spec.js b/api/strategies/openidStrategy.spec.js index ada27cca17..99b9483522 100644 --- a/api/strategies/openidStrategy.spec.js +++ b/api/strategies/openidStrategy.spec.js @@ -1,5 +1,6 @@ const fetch = require('node-fetch'); const jwtDecode = require('jsonwebtoken/decode'); +const undici = require('undici'); const { ErrorTypes } = require('librechat-data-provider'); const { findUser, createUser, updateUser } = require('~/models'); const { setupOpenId } = require('./openidStrategy'); @@ -7,6 +8,10 @@ const { setupOpenId } = require('./openidStrategy'); // --- Mocks --- jest.mock('node-fetch'); jest.mock('jsonwebtoken/decode'); +jest.mock('undici', () => ({ + fetch: jest.fn(), + ProxyAgent: jest.fn(), +})); jest.mock('~/server/services/Files/strategies', () => ({ getStrategyFunctions: jest.fn(() => ({ saveBuffer: jest.fn().mockResolvedValue('/fake/path/to/avatar.png'), @@ -360,6 +365,25 @@ describe('setupOpenId', () => { expect(details.message).toBe('You must have "requiredRole" role to log in.'); }); + it('should not treat substring matches in string roles as satisfying required role', async () => { + // Arrange – override required role to "read" then re-setup + process.env.OPENID_REQUIRED_ROLE = 'read'; + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + // Token contains "bread" which *contains* "read" as a substring + jwtDecode.mockReturnValue({ + roles: 'bread', + }); + + // Act + const { user, details } = await validate(tokenset); + + // Assert – verify that substring match does not grant access + expect(user).toBe(false); + expect(details.message).toBe('You must have "read" role to log in.'); + }); + it('should allow login when single required role is present (backward compatibility)', async () => { // Arrange – ensure single role configuration (as set in beforeEach) // OPENID_REQUIRED_ROLE = 'requiredRole' @@ -378,6 +402,292 @@ describe('setupOpenId', () => { expect(createUser).toHaveBeenCalled(); }); + describe('group overage and groups handling', () => { + it.each([ + ['groups array contains required group', ['group-required', 'other-group'], true, undefined], + [ + 'groups array missing required group', + ['other-group'], + false, + 'You must have "group-required" role to log in.', + ], + ['groups string equals required group', 'group-required', true, undefined], + [ + 'groups string is other group', + 'other-group', + false, + 'You must have "group-required" role to log in.', + ], + ])( + 'uses groups claim directly when %s (no overage)', + async (_label, groupsClaim, expectedAllowed, expectedMessage) => { + process.env.OPENID_REQUIRED_ROLE = 'group-required'; + process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'groups'; + process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id'; + + jwtDecode.mockReturnValue({ + groups: groupsClaim, + permissions: ['admin'], + }); + + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + const { user, details } = await validate(tokenset); + + expect(undici.fetch).not.toHaveBeenCalled(); + expect(Boolean(user)).toBe(expectedAllowed); + expect(details?.message).toBe(expectedMessage); + }, + ); + + it.each([ + ['token kind is not id', { kind: 'access', path: 'groups', decoded: { hasgroups: true } }], + ['parameter path is not groups', { kind: 'id', path: 'roles', decoded: { hasgroups: true } }], + ['decoded token is falsy', { kind: 'id', path: 'groups', decoded: null }], + [ + 'no overage indicators in decoded token', + { + kind: 'id', + path: 'groups', + decoded: { + permissions: ['admin'], + }, + }, + ], + [ + 'only _claim_names present (no _claim_sources)', + { + kind: 'id', + path: 'groups', + decoded: { + _claim_names: { groups: 'src1' }, + permissions: ['admin'], + }, + }, + ], + [ + 'only _claim_sources present (no _claim_names)', + { + kind: 'id', + path: 'groups', + decoded: { + _claim_sources: { src1: { endpoint: 'https://graph.windows.net/ignored' } }, + permissions: ['admin'], + }, + }, + ], + ])('does not attempt overage resolution when %s', async (_label, cfg) => { + process.env.OPENID_REQUIRED_ROLE = 'group-required'; + process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = cfg.path; + process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = cfg.kind; + + jwtDecode.mockReturnValue(cfg.decoded); + + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + const { user, details } = await validate(tokenset); + + expect(undici.fetch).not.toHaveBeenCalled(); + expect(user).toBe(false); + expect(details.message).toBe('You must have "group-required" role to log in.'); + const { logger } = require('@librechat/data-schemas'); + const expectedTokenKind = cfg.kind === 'access' ? 'access token' : 'id token'; + expect(logger.error).toHaveBeenCalledWith( + expect.stringContaining(`Key '${cfg.path}' not found in ${expectedTokenKind}!`), + ); + }); + }); + + describe('resolving groups via Microsoft Graph', () => { + it('denies login and does not call Graph when access token is missing', async () => { + process.env.OPENID_REQUIRED_ROLE = 'group-required'; + process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'groups'; + process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id'; + + const { logger } = require('@librechat/data-schemas'); + + jwtDecode.mockReturnValue({ + hasgroups: true, + permissions: ['admin'], + }); + + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + const tokensetWithoutAccess = { + ...tokenset, + access_token: undefined, + }; + + const { user, details } = await validate(tokensetWithoutAccess); + + expect(user).toBe(false); + expect(details.message).toBe('You must have "group-required" role to log in.'); + + expect(undici.fetch).not.toHaveBeenCalled(); + expect(logger.error).toHaveBeenCalledWith( + expect.stringContaining('Access token missing; cannot resolve group overage'), + ); + }); + + it.each([ + [ + 'Graph returns HTTP error', + async () => ({ + ok: false, + status: 403, + statusText: 'Forbidden', + json: async () => ({}), + }), + [ + '[openidStrategy] Failed to resolve groups via Microsoft Graph getMemberObjects: HTTP 403 Forbidden', + ], + ], + [ + 'Graph network error', + async () => { + throw new Error('network error'); + }, + [ + '[openidStrategy] Error resolving groups via Microsoft Graph getMemberObjects:', + expect.any(Error), + ], + ], + [ + 'Graph returns unexpected shape (no value)', + async () => ({ + ok: true, + status: 200, + statusText: 'OK', + json: async () => ({}), + }), + [ + '[openidStrategy] Unexpected response format when resolving groups via Microsoft Graph getMemberObjects', + ], + ], + [ + 'Graph returns invalid value type', + async () => ({ + ok: true, + status: 200, + statusText: 'OK', + json: async () => ({ value: 'not-an-array' }), + }), + [ + '[openidStrategy] Unexpected response format when resolving groups via Microsoft Graph getMemberObjects', + ], + ], + ])( + 'denies login when overage resolution fails because %s', + async (_label, setupFetch, expectedErrorArgs) => { + process.env.OPENID_REQUIRED_ROLE = 'group-required'; + process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'groups'; + process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id'; + + const { logger } = require('@librechat/data-schemas'); + + jwtDecode.mockReturnValue({ + hasgroups: true, + permissions: ['admin'], + }); + + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + undici.fetch.mockImplementation(setupFetch); + + const { user, details } = await validate(tokenset); + + expect(undici.fetch).toHaveBeenCalled(); + expect(user).toBe(false); + expect(details.message).toBe('You must have "group-required" role to log in.'); + + expect(logger.error).toHaveBeenCalledWith(...expectedErrorArgs); + }, + ); + + it.each([ + [ + 'hasgroups overage and Graph contains required group', + { + hasgroups: true, + }, + ['group-required', 'some-other-group'], + true, + ], + [ + '_claim_* overage and Graph contains required group', + { + _claim_names: { groups: 'src1' }, + _claim_sources: { src1: { endpoint: 'https://graph.windows.net/ignored' } }, + }, + ['group-required', 'some-other-group'], + true, + ], + [ + 'hasgroups overage and Graph does NOT contain required group', + { + hasgroups: true, + }, + ['some-other-group'], + false, + ], + [ + '_claim_* overage and Graph does NOT contain required group', + { + _claim_names: { groups: 'src1' }, + _claim_sources: { src1: { endpoint: 'https://graph.windows.net/ignored' } }, + }, + ['some-other-group'], + false, + ], + ])( + 'resolves groups via Microsoft Graph when %s', + async (_label, decodedTokenValue, graphGroups, expectedAllowed) => { + process.env.OPENID_REQUIRED_ROLE = 'group-required'; + process.env.OPENID_REQUIRED_ROLE_PARAMETER_PATH = 'groups'; + process.env.OPENID_REQUIRED_ROLE_TOKEN_KIND = 'id'; + + const { logger } = require('@librechat/data-schemas'); + + jwtDecode.mockReturnValue(decodedTokenValue); + + await setupOpenId(); + verifyCallback = require('openid-client/passport').__getVerifyCallbackByName('openid'); + + undici.fetch.mockResolvedValue({ + ok: true, + status: 200, + statusText: 'OK', + json: async () => ({ + value: graphGroups, + }), + }); + + const { user } = await validate(tokenset); + + expect(undici.fetch).toHaveBeenCalledWith( + 'https://graph.microsoft.com/v1.0/me/getMemberObjects', + expect.objectContaining({ + method: 'POST', + headers: expect.objectContaining({ + Authorization: `Bearer ${tokenset.access_token}`, + }), + }), + ); + expect(Boolean(user)).toBe(expectedAllowed); + + expect(logger.debug).toHaveBeenCalledWith( + expect.stringContaining( + `Successfully resolved ${graphGroups.length} groups via Microsoft Graph getMemberObjects`, + ), + ); + }, + ); + }); + it('should attempt to download and save the avatar if picture is provided', async () => { // Act const { user } = await validate(tokenset); From c7531dd0290e77ab60ca371db8050f5ea8ada116 Mon Sep 17 00:00:00 2001 From: ethanlaj Date: Wed, 11 Feb 2026 22:12:05 -0500 Subject: [PATCH 08/55] =?UTF-8?q?=F0=9F=95=B5=EF=B8=8F=E2=80=8D=E2=99=82?= =?UTF-8?q?=EF=B8=8F=20fix:=20Handle=20404=20errors=20on=20agent=20queries?= =?UTF-8?q?=20for=20favorites=20(#11587)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- client/src/common/agents-types.ts | 2 + .../Nav/Favorites/FavoritesList.tsx | 20 +- .../Favorites/tests/FavoritesList.spec.tsx | 191 ++++++++++++++++++ 3 files changed, 210 insertions(+), 3 deletions(-) create mode 100644 client/src/components/Nav/Favorites/tests/FavoritesList.spec.tsx diff --git a/client/src/common/agents-types.ts b/client/src/common/agents-types.ts index c3832b7ff8..c3ea06f890 100644 --- a/client/src/common/agents-types.ts +++ b/client/src/common/agents-types.ts @@ -9,6 +9,8 @@ import type { } from 'librechat-data-provider'; import type { OptionWithIcon, ExtendedFile } from './types'; +export type AgentQueryResult = { found: true; agent: Agent } | { found: false }; + export type TAgentOption = OptionWithIcon & Agent & { knowledge_files?: Array<[string, ExtendedFile]>; diff --git a/client/src/components/Nav/Favorites/FavoritesList.tsx b/client/src/components/Nav/Favorites/FavoritesList.tsx index b142b0cfc3..86fe4a793f 100644 --- a/client/src/components/Nav/Favorites/FavoritesList.tsx +++ b/client/src/components/Nav/Favorites/FavoritesList.tsx @@ -9,6 +9,7 @@ import { QueryKeys, dataService } from 'librechat-data-provider'; import type t from 'librechat-data-provider'; import { useFavorites, useLocalize, useShowMarketplace, useNewConvo } from '~/hooks'; import { useAssistantsMapContext, useAgentsMapContext } from '~/Providers'; +import type { AgentQueryResult } from '~/common'; import useSelectMention from '~/hooks/Input/useSelectMention'; import { useGetEndpointsQuery } from '~/data-provider'; import FavoriteItem from './FavoriteItem'; @@ -184,7 +185,20 @@ export default function FavoritesList({ const missingAgentQueries = useQueries({ queries: missingAgentIds.map((agentId) => ({ queryKey: [QueryKeys.agent, agentId], - queryFn: () => dataService.getAgentById({ agent_id: agentId }), + queryFn: async (): Promise => { + try { + const agent = await dataService.getAgentById({ agent_id: agentId }); + return { found: true, agent }; + } catch (error) { + if (error && typeof error === 'object' && 'response' in error) { + const axiosError = error as { response?: { status?: number } }; + if (axiosError.response?.status === 404) { + return { found: false }; + } + } + throw error; + } + }, staleTime: 1000 * 60 * 5, enabled: missingAgentIds.length > 0, })), @@ -201,8 +215,8 @@ export default function FavoritesList({ } } missingAgentQueries.forEach((query) => { - if (query.data) { - combined[query.data.id] = query.data; + if (query.data?.found) { + combined[query.data.agent.id] = query.data.agent; } }); return combined; diff --git a/client/src/components/Nav/Favorites/tests/FavoritesList.spec.tsx b/client/src/components/Nav/Favorites/tests/FavoritesList.spec.tsx new file mode 100644 index 0000000000..8318b94698 --- /dev/null +++ b/client/src/components/Nav/Favorites/tests/FavoritesList.spec.tsx @@ -0,0 +1,191 @@ +import React from 'react'; +import { render, waitFor } from '@testing-library/react'; +import '@testing-library/jest-dom'; +import { QueryClient, QueryClientProvider } from '@tanstack/react-query'; +import { RecoilRoot } from 'recoil'; +import { DndProvider } from 'react-dnd'; +import { HTML5Backend } from 'react-dnd-html5-backend'; +import { BrowserRouter } from 'react-router-dom'; +import { dataService } from 'librechat-data-provider'; +import type t from 'librechat-data-provider'; + +// Mock store before importing FavoritesList +jest.mock('~/store', () => { + const { atom } = jest.requireActual('recoil'); + return { + __esModule: true, + default: { + search: atom({ + key: 'mock-search-atom', + default: { query: '' }, + }), + conversationByIndex: (index: number) => + atom({ + key: `mock-conversation-atom-${index}`, + default: null, + }), + }, + }; +}); +import FavoritesList from '../FavoritesList'; + +type FavoriteItem = { + agentId?: string; + model?: string; + endpoint?: string; +}; + +// Mock dataService +jest.mock('librechat-data-provider', () => ({ + ...jest.requireActual('librechat-data-provider'), + dataService: { + getAgentById: jest.fn(), + }, +})); + +// Mock hooks +const mockFavorites: FavoriteItem[] = []; +const mockUseFavorites = jest.fn(() => ({ + favorites: mockFavorites, + reorderFavorites: jest.fn(), + isLoading: false, +})); + +jest.mock('~/hooks', () => ({ + useFavorites: () => mockUseFavorites(), + useLocalize: () => (key: string) => key, + useShowMarketplace: () => false, + useNewConvo: () => ({ newConversation: jest.fn() }), +})); + +jest.mock('~/Providers', () => ({ + useAssistantsMapContext: () => ({}), + useAgentsMapContext: () => ({}), +})); + +jest.mock('~/hooks/Input/useSelectMention', () => () => ({ + onSelectEndpoint: jest.fn(), +})); + +jest.mock('~/data-provider', () => ({ + useGetEndpointsQuery: () => ({ data: {} }), +})); + +jest.mock('../FavoriteItem', () => ({ + __esModule: true, + default: ({ item, type }: { item: any; type: string }) => ( +
+ {type === 'agent' ? item.name : item.model} +
+ ), +})); + +const createTestQueryClient = () => + new QueryClient({ + defaultOptions: { + queries: { + retry: false, + }, + }, + }); + +const renderWithProviders = (ui: React.ReactElement) => { + const queryClient = createTestQueryClient(); + return render( + + + + {ui} + + + , + ); +}; + +describe('FavoritesList', () => { + beforeEach(() => { + jest.clearAllMocks(); + mockFavorites.length = 0; + }); + + describe('rendering', () => { + it('should render nothing when favorites is empty and marketplace is hidden', () => { + const { container } = renderWithProviders(); + expect(container.firstChild).toBeNull(); + }); + + it('should render skeleton while loading', () => { + mockUseFavorites.mockReturnValueOnce({ + favorites: [], + reorderFavorites: jest.fn(), + isLoading: true, + }); + + const { container } = renderWithProviders(); + // Skeletons should be present during loading - container should have children + expect(container.firstChild).not.toBeNull(); + // When loading, the component renders skeleton placeholders (check for content, not specific CSS) + expect(container.innerHTML).toContain('div'); + }); + }); + + describe('missing agent handling', () => { + it('should exclude missing agents (404) from rendered favorites and render valid agents', async () => { + const validAgent: t.Agent = { + id: 'valid-agent', + name: 'Valid Agent', + author: 'test-author', + } as t.Agent; + + // Set up favorites with both valid and missing agent + mockFavorites.push({ agentId: 'valid-agent' }, { agentId: 'deleted-agent' }); + + // Mock getAgentById: valid-agent returns successfully, deleted-agent returns 404 + (dataService.getAgentById as jest.Mock).mockImplementation( + ({ agent_id }: { agent_id: string }) => { + if (agent_id === 'valid-agent') { + return Promise.resolve(validAgent); + } + if (agent_id === 'deleted-agent') { + return Promise.reject({ response: { status: 404 } }); + } + return Promise.reject(new Error('Unknown agent')); + }, + ); + + const { findAllByTestId } = renderWithProviders(); + + // Wait for queries to resolve + const favoriteItems = await findAllByTestId('favorite-item'); + + // Only the valid agent should be rendered + expect(favoriteItems).toHaveLength(1); + expect(favoriteItems[0]).toHaveTextContent('Valid Agent'); + + // The deleted agent should still be requested, but not rendered + expect(dataService.getAgentById as jest.Mock).toHaveBeenCalledWith({ + agent_id: 'deleted-agent', + }); + }); + + it('should not show infinite loading skeleton when agents return 404', async () => { + // Set up favorites with only a deleted agent + mockFavorites.push({ agentId: 'deleted-agent' }); + + // Mock getAgentById to return 404 + (dataService.getAgentById as jest.Mock).mockRejectedValue({ response: { status: 404 } }); + + const { queryAllByTestId } = renderWithProviders(); + + // Wait for the loading state to resolve after 404 handling by ensuring the agent request was made + await waitFor(() => { + expect(dataService.getAgentById as jest.Mock).toHaveBeenCalledWith({ + agent_id: 'deleted-agent', + }); + }); + + // No favorite items should be rendered (deleted agent is filtered out) + expect(queryAllByTestId('favorite-item')).toHaveLength(0); + }); + }); +}); From 5b67e48fe1c2179ef68f5fd8b17934a940f14a83 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Wed, 11 Feb 2026 22:20:43 -0500 Subject: [PATCH 09/55] =?UTF-8?q?=F0=9F=97=83=EF=B8=8F=20refactor:=20Separ?= =?UTF-8?q?ate=20Tool=20Cache=20Namespace=20for=20Blue/Green=20Deployments?= =?UTF-8?q?=20(#11738)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 refactor: Introduce TOOL_CACHE for isolated caching of tools - Added TOOL_CACHE key to CacheKeys enum for managing tool-related cache. - Updated various services and controllers to utilize TOOL_CACHE instead of CONFIG_STORE for better separation of concerns in caching logic. - Enhanced .env.example with comments on using in-memory cache for blue/green deployments. * 🔧 refactor: Update cache configuration for in-memory storage handling - Enhanced the handling of `FORCED_IN_MEMORY_CACHE_NAMESPACES` in `cacheConfig.ts` to default to `CONFIG_STORE` and `APP_CONFIG`, ensuring safer blue/green deployments. - Updated `.env.example` with clearer comments regarding the usage of in-memory cache namespaces. - Improved unit tests to validate the new default behavior and handling of empty strings for cache namespaces. --- .env.example | 6 +- api/cache/getLogStores.js | 1 + api/server/controllers/PluginController.js | 4 +- .../controllers/PluginController.spec.js | 23 +++ .../Config/__tests__/getCachedTools.spec.js | 86 ++++++++++- api/server/services/Config/getCachedTools.js | 8 +- api/server/services/Config/mcp.js | 4 +- .../src/cache/__tests__/cacheConfig.spec.ts | 20 ++- .../standardCache.namespace_isolation.spec.ts | 135 ++++++++++++++++++ packages/api/src/cache/cacheConfig.ts | 11 +- packages/data-provider/src/config.ts | 4 + 11 files changed, 284 insertions(+), 18 deletions(-) create mode 100644 packages/api/src/cache/__tests__/cacheFactory/standardCache.namespace_isolation.spec.ts diff --git a/.env.example b/.env.example index 0cf51ea2dc..4fd526f569 100644 --- a/.env.example +++ b/.env.example @@ -748,8 +748,10 @@ HELP_AND_FAQ_URL=https://librechat.ai # REDIS_PING_INTERVAL=300 # Force specific cache namespaces to use in-memory storage even when Redis is enabled -# Comma-separated list of CacheKeys (e.g., ROLES,MESSAGES) -# FORCED_IN_MEMORY_CACHE_NAMESPACES=ROLES,MESSAGES +# Comma-separated list of CacheKeys +# Defaults to CONFIG_STORE,APP_CONFIG so YAML-derived config stays per-container (safe for blue/green deployments) +# Set to empty string to force all namespaces through Redis: FORCED_IN_MEMORY_CACHE_NAMESPACES= +# FORCED_IN_MEMORY_CACHE_NAMESPACES=CONFIG_STORE,APP_CONFIG # Leader Election Configuration (for multi-instance deployments with Redis) # Duration in seconds that the leader lease is valid before it expires (default: 25) diff --git a/api/cache/getLogStores.js b/api/cache/getLogStores.js index 5940689957..3089192196 100644 --- a/api/cache/getLogStores.js +++ b/api/cache/getLogStores.js @@ -37,6 +37,7 @@ const namespaces = { [CacheKeys.ROLES]: standardCache(CacheKeys.ROLES), [CacheKeys.APP_CONFIG]: standardCache(CacheKeys.APP_CONFIG), [CacheKeys.CONFIG_STORE]: standardCache(CacheKeys.CONFIG_STORE), + [CacheKeys.TOOL_CACHE]: standardCache(CacheKeys.TOOL_CACHE), [CacheKeys.PENDING_REQ]: standardCache(CacheKeys.PENDING_REQ), [CacheKeys.ENCODED_DOMAINS]: new Keyv({ store: keyvMongo, namespace: CacheKeys.ENCODED_DOMAINS }), [CacheKeys.ABORT_KEYS]: standardCache(CacheKeys.ABORT_KEYS, Time.TEN_MINUTES), diff --git a/api/server/controllers/PluginController.js b/api/server/controllers/PluginController.js index c5e074b8ff..279ffb15fd 100644 --- a/api/server/controllers/PluginController.js +++ b/api/server/controllers/PluginController.js @@ -8,7 +8,7 @@ const { getLogStores } = require('~/cache'); const getAvailablePluginsController = async (req, res) => { try { - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const cachedPlugins = await cache.get(CacheKeys.PLUGINS); if (cachedPlugins) { res.status(200).json(cachedPlugins); @@ -63,7 +63,7 @@ const getAvailableTools = async (req, res) => { logger.warn('[getAvailableTools] User ID not found in request'); return res.status(401).json({ message: 'Unauthorized' }); } - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const cachedToolsArray = await cache.get(CacheKeys.TOOLS); const appConfig = req.config ?? (await getAppConfig({ role: req.user?.role })); diff --git a/api/server/controllers/PluginController.spec.js b/api/server/controllers/PluginController.spec.js index d7d3f83a8b..06a51a3bd6 100644 --- a/api/server/controllers/PluginController.spec.js +++ b/api/server/controllers/PluginController.spec.js @@ -1,3 +1,4 @@ +const { CacheKeys } = require('librechat-data-provider'); const { getCachedTools, getAppConfig } = require('~/server/services/Config'); const { getLogStores } = require('~/cache'); @@ -63,6 +64,28 @@ describe('PluginController', () => { }); }); + describe('cache namespace', () => { + it('getAvailablePluginsController should use TOOL_CACHE namespace', async () => { + mockCache.get.mockResolvedValue([]); + await getAvailablePluginsController(mockReq, mockRes); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + }); + + it('getAvailableTools should use TOOL_CACHE namespace', async () => { + mockCache.get.mockResolvedValue([]); + await getAvailableTools(mockReq, mockRes); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + }); + + it('should NOT use CONFIG_STORE namespace for tool/plugin operations', async () => { + mockCache.get.mockResolvedValue([]); + await getAvailablePluginsController(mockReq, mockRes); + await getAvailableTools(mockReq, mockRes); + const allCalls = getLogStores.mock.calls.flat(); + expect(allCalls).not.toContain(CacheKeys.CONFIG_STORE); + }); + }); + describe('getAvailablePluginsController', () => { it('should use filterUniquePlugins to remove duplicate plugins', async () => { // Add plugins with duplicates to availableTools diff --git a/api/server/services/Config/__tests__/getCachedTools.spec.js b/api/server/services/Config/__tests__/getCachedTools.spec.js index 48ab6e0737..38d488ed38 100644 --- a/api/server/services/Config/__tests__/getCachedTools.spec.js +++ b/api/server/services/Config/__tests__/getCachedTools.spec.js @@ -1,10 +1,92 @@ -const { ToolCacheKeys } = require('../getCachedTools'); +const { CacheKeys } = require('librechat-data-provider'); + +jest.mock('~/cache/getLogStores'); +const getLogStores = require('~/cache/getLogStores'); + +const mockCache = { get: jest.fn(), set: jest.fn(), delete: jest.fn() }; +getLogStores.mockReturnValue(mockCache); + +const { + ToolCacheKeys, + getCachedTools, + setCachedTools, + getMCPServerTools, + invalidateCachedTools, +} = require('../getCachedTools'); + +describe('getCachedTools', () => { + beforeEach(() => { + jest.clearAllMocks(); + getLogStores.mockReturnValue(mockCache); + }); -describe('getCachedTools - Cache Isolation Security', () => { describe('ToolCacheKeys.MCP_SERVER', () => { it('should generate cache keys that include userId', () => { const key = ToolCacheKeys.MCP_SERVER('user123', 'github'); expect(key).toBe('tools:mcp:user123:github'); }); }); + + describe('TOOL_CACHE namespace usage', () => { + it('getCachedTools should use TOOL_CACHE namespace', async () => { + mockCache.get.mockResolvedValue(null); + await getCachedTools(); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + }); + + it('getCachedTools with MCP server options should use TOOL_CACHE namespace', async () => { + mockCache.get.mockResolvedValue({ tool1: {} }); + await getCachedTools({ userId: 'user1', serverName: 'github' }); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + expect(mockCache.get).toHaveBeenCalledWith(ToolCacheKeys.MCP_SERVER('user1', 'github')); + }); + + it('setCachedTools should use TOOL_CACHE namespace', async () => { + mockCache.set.mockResolvedValue(true); + const tools = { tool1: { type: 'function' } }; + await setCachedTools(tools); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + expect(mockCache.set).toHaveBeenCalledWith(ToolCacheKeys.GLOBAL, tools, expect.any(Number)); + }); + + it('setCachedTools with MCP server options should use TOOL_CACHE namespace', async () => { + mockCache.set.mockResolvedValue(true); + const tools = { tool1: { type: 'function' } }; + await setCachedTools(tools, { userId: 'user1', serverName: 'github' }); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + expect(mockCache.set).toHaveBeenCalledWith( + ToolCacheKeys.MCP_SERVER('user1', 'github'), + tools, + expect.any(Number), + ); + }); + + it('invalidateCachedTools should use TOOL_CACHE namespace', async () => { + mockCache.delete.mockResolvedValue(true); + await invalidateCachedTools({ invalidateGlobal: true }); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + expect(mockCache.delete).toHaveBeenCalledWith(ToolCacheKeys.GLOBAL); + }); + + it('getMCPServerTools should use TOOL_CACHE namespace', async () => { + mockCache.get.mockResolvedValue(null); + await getMCPServerTools('user1', 'github'); + expect(getLogStores).toHaveBeenCalledWith(CacheKeys.TOOL_CACHE); + expect(mockCache.get).toHaveBeenCalledWith(ToolCacheKeys.MCP_SERVER('user1', 'github')); + }); + + it('should NOT use CONFIG_STORE namespace', async () => { + mockCache.get.mockResolvedValue(null); + await getCachedTools(); + await getMCPServerTools('user1', 'github'); + mockCache.set.mockResolvedValue(true); + await setCachedTools({ tool1: {} }); + mockCache.delete.mockResolvedValue(true); + await invalidateCachedTools({ invalidateGlobal: true }); + + const allCalls = getLogStores.mock.calls.flat(); + expect(allCalls).not.toContain(CacheKeys.CONFIG_STORE); + expect(allCalls.every((key) => key === CacheKeys.TOOL_CACHE)).toBe(true); + }); + }); }); diff --git a/api/server/services/Config/getCachedTools.js b/api/server/services/Config/getCachedTools.js index cf1618a646..eb7a08305a 100644 --- a/api/server/services/Config/getCachedTools.js +++ b/api/server/services/Config/getCachedTools.js @@ -20,7 +20,7 @@ const ToolCacheKeys = { * @returns {Promise} The available tools object or null if not cached */ async function getCachedTools(options = {}) { - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const { userId, serverName } = options; // Return MCP server-specific tools if requested @@ -43,7 +43,7 @@ async function getCachedTools(options = {}) { * @returns {Promise} Whether the operation was successful */ async function setCachedTools(tools, options = {}) { - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const { userId, serverName, ttl = Time.TWELVE_HOURS } = options; // Cache by MCP server if specified (requires userId) @@ -65,7 +65,7 @@ async function setCachedTools(tools, options = {}) { * @returns {Promise} */ async function invalidateCachedTools(options = {}) { - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const { userId, serverName, invalidateGlobal = false } = options; const keysToDelete = []; @@ -89,7 +89,7 @@ async function invalidateCachedTools(options = {}) { * @returns {Promise} The available tools for the server */ async function getMCPServerTools(userId, serverName) { - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); const serverTools = await cache.get(ToolCacheKeys.MCP_SERVER(userId, serverName)); if (serverTools) { diff --git a/api/server/services/Config/mcp.js b/api/server/services/Config/mcp.js index 15ea62a028..cc4e98b59e 100644 --- a/api/server/services/Config/mcp.js +++ b/api/server/services/Config/mcp.js @@ -35,7 +35,7 @@ async function updateMCPServerTools({ userId, serverName, tools }) { await setCachedTools(serverTools, { userId, serverName }); - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); await cache.delete(CacheKeys.TOOLS); logger.debug( `[MCP Cache] Updated ${tools.length} tools for server ${serverName} (user: ${userId})`, @@ -61,7 +61,7 @@ async function mergeAppTools(appTools) { const cachedTools = await getCachedTools(); const mergedTools = { ...cachedTools, ...appTools }; await setCachedTools(mergedTools); - const cache = getLogStores(CacheKeys.CONFIG_STORE); + const cache = getLogStores(CacheKeys.TOOL_CACHE); await cache.delete(CacheKeys.TOOLS); logger.debug(`Merged ${count} app-level tools`); } catch (error) { diff --git a/packages/api/src/cache/__tests__/cacheConfig.spec.ts b/packages/api/src/cache/__tests__/cacheConfig.spec.ts index e24f52fee0..0488cfecfc 100644 --- a/packages/api/src/cache/__tests__/cacheConfig.spec.ts +++ b/packages/api/src/cache/__tests__/cacheConfig.spec.ts @@ -215,16 +215,30 @@ describe('cacheConfig', () => { }).rejects.toThrow('Invalid cache keys in FORCED_IN_MEMORY_CACHE_NAMESPACES: INVALID_KEY'); }); - test('should handle empty string gracefully', async () => { + test('should produce empty array when set to empty string (opt out of defaults)', async () => { process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = ''; const { cacheConfig } = await import('../cacheConfig'); expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual([]); }); - test('should handle undefined env var gracefully', async () => { + test('should default to CONFIG_STORE and APP_CONFIG when env var is not set', async () => { const { cacheConfig } = await import('../cacheConfig'); - expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual([]); + expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual(['CONFIG_STORE', 'APP_CONFIG']); + }); + + test('should accept TOOL_CACHE as a valid namespace', async () => { + process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = 'TOOL_CACHE'; + + const { cacheConfig } = await import('../cacheConfig'); + expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual(['TOOL_CACHE']); + }); + + test('should accept CONFIG_STORE and APP_CONFIG together for blue/green deployments', async () => { + process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES = 'CONFIG_STORE,APP_CONFIG'; + + const { cacheConfig } = await import('../cacheConfig'); + expect(cacheConfig.FORCED_IN_MEMORY_CACHE_NAMESPACES).toEqual(['CONFIG_STORE', 'APP_CONFIG']); }); }); }); diff --git a/packages/api/src/cache/__tests__/cacheFactory/standardCache.namespace_isolation.spec.ts b/packages/api/src/cache/__tests__/cacheFactory/standardCache.namespace_isolation.spec.ts new file mode 100644 index 0000000000..9a8b4ff3bf --- /dev/null +++ b/packages/api/src/cache/__tests__/cacheFactory/standardCache.namespace_isolation.spec.ts @@ -0,0 +1,135 @@ +import { CacheKeys } from 'librechat-data-provider'; + +const mockKeyvRedisInstance = { + namespace: '', + keyPrefixSeparator: '', + on: jest.fn(), +}; + +const MockKeyvRedis = jest.fn().mockReturnValue(mockKeyvRedisInstance); + +jest.mock('@keyv/redis', () => ({ + default: MockKeyvRedis, +})); + +const mockKeyvRedisClient = { scanIterator: jest.fn() }; + +jest.mock('../../redisClients', () => ({ + keyvRedisClient: mockKeyvRedisClient, + ioredisClient: null, +})); + +jest.mock('../../redisUtils', () => ({ + batchDeleteKeys: jest.fn(), + scanKeys: jest.fn(), +})); + +jest.mock('@librechat/data-schemas', () => ({ + logger: { + error: jest.fn(), + warn: jest.fn(), + debug: jest.fn(), + }, +})); + +describe('standardCache - CONFIG_STORE vs TOOL_CACHE namespace isolation', () => { + afterEach(() => { + jest.resetModules(); + MockKeyvRedis.mockClear(); + }); + + /** + * Core behavioral test for blue/green deployments: + * When CONFIG_STORE and APP_CONFIG are forced in-memory, + * TOOL_CACHE should still use Redis for cross-container sharing. + */ + it('should force CONFIG_STORE to in-memory while TOOL_CACHE uses Redis', async () => { + jest.doMock('../../cacheConfig', () => ({ + cacheConfig: { + FORCED_IN_MEMORY_CACHE_NAMESPACES: [CacheKeys.CONFIG_STORE, CacheKeys.APP_CONFIG], + REDIS_KEY_PREFIX: '', + GLOBAL_PREFIX_SEPARATOR: '>>', + }, + })); + + const { standardCache } = await import('../../cacheFactory'); + + MockKeyvRedis.mockClear(); + + const configCache = standardCache(CacheKeys.CONFIG_STORE); + expect(MockKeyvRedis).not.toHaveBeenCalled(); + expect(configCache).toBeDefined(); + + const appConfigCache = standardCache(CacheKeys.APP_CONFIG); + expect(MockKeyvRedis).not.toHaveBeenCalled(); + expect(appConfigCache).toBeDefined(); + + const toolCache = standardCache(CacheKeys.TOOL_CACHE); + expect(MockKeyvRedis).toHaveBeenCalledTimes(1); + expect(MockKeyvRedis).toHaveBeenCalledWith(mockKeyvRedisClient); + expect(toolCache).toBeDefined(); + }); + + it('CONFIG_STORE and TOOL_CACHE should be independent stores', async () => { + jest.doMock('../../cacheConfig', () => ({ + cacheConfig: { + FORCED_IN_MEMORY_CACHE_NAMESPACES: [CacheKeys.CONFIG_STORE], + REDIS_KEY_PREFIX: '', + GLOBAL_PREFIX_SEPARATOR: '>>', + }, + })); + + const { standardCache } = await import('../../cacheFactory'); + + const configCache = standardCache(CacheKeys.CONFIG_STORE); + const toolCache = standardCache(CacheKeys.TOOL_CACHE); + + await configCache.set('STARTUP_CONFIG', { version: 'v2-green' }); + await toolCache.set('tools:global', { myTool: { type: 'function' } }); + + expect(await configCache.get('STARTUP_CONFIG')).toEqual({ version: 'v2-green' }); + expect(await configCache.get('tools:global')).toBeUndefined(); + + expect(await toolCache.get('STARTUP_CONFIG')).toBeUndefined(); + }); + + it('should use Redis for all namespaces when nothing is forced in-memory', async () => { + jest.doMock('../../cacheConfig', () => ({ + cacheConfig: { + FORCED_IN_MEMORY_CACHE_NAMESPACES: [], + REDIS_KEY_PREFIX: '', + GLOBAL_PREFIX_SEPARATOR: '>>', + }, + })); + + const { standardCache } = await import('../../cacheFactory'); + + MockKeyvRedis.mockClear(); + + standardCache(CacheKeys.CONFIG_STORE); + standardCache(CacheKeys.TOOL_CACHE); + standardCache(CacheKeys.APP_CONFIG); + + expect(MockKeyvRedis).toHaveBeenCalledTimes(3); + }); + + it('forcing TOOL_CACHE to in-memory should not affect CONFIG_STORE', async () => { + jest.doMock('../../cacheConfig', () => ({ + cacheConfig: { + FORCED_IN_MEMORY_CACHE_NAMESPACES: [CacheKeys.TOOL_CACHE], + REDIS_KEY_PREFIX: '', + GLOBAL_PREFIX_SEPARATOR: '>>', + }, + })); + + const { standardCache } = await import('../../cacheFactory'); + + MockKeyvRedis.mockClear(); + + standardCache(CacheKeys.TOOL_CACHE); + expect(MockKeyvRedis).not.toHaveBeenCalled(); + + standardCache(CacheKeys.CONFIG_STORE); + expect(MockKeyvRedis).toHaveBeenCalledTimes(1); + }); +}); diff --git a/packages/api/src/cache/cacheConfig.ts b/packages/api/src/cache/cacheConfig.ts index 32ea2cddd1..0d4304f5c3 100644 --- a/packages/api/src/cache/cacheConfig.ts +++ b/packages/api/src/cache/cacheConfig.ts @@ -27,9 +27,14 @@ const USE_REDIS_STREAMS = // Comma-separated list of cache namespaces that should be forced to use in-memory storage // even when Redis is enabled. This allows selective performance optimization for specific caches. -const FORCED_IN_MEMORY_CACHE_NAMESPACES = process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES - ? process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES.split(',').map((key) => key.trim()) - : []; +// Defaults to CONFIG_STORE,APP_CONFIG so YAML-derived config stays per-container. +// Set to empty string to force all namespaces through Redis. +const FORCED_IN_MEMORY_CACHE_NAMESPACES = + process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES !== undefined + ? process.env.FORCED_IN_MEMORY_CACHE_NAMESPACES.split(',') + .map((key) => key.trim()) + .filter(Boolean) + : [CacheKeys.CONFIG_STORE, CacheKeys.APP_CONFIG]; // Validate against CacheKeys enum if (FORCED_IN_MEMORY_CACHE_NAMESPACES.length > 0) { diff --git a/packages/data-provider/src/config.ts b/packages/data-provider/src/config.ts index 504811dbbe..a2b47351b1 100644 --- a/packages/data-provider/src/config.ts +++ b/packages/data-provider/src/config.ts @@ -1364,6 +1364,10 @@ export enum CacheKeys { * Key for the config store namespace. */ CONFIG_STORE = 'CONFIG_STORE', + /** + * Key for the tool cache namespace (plugins, MCP tools, tool definitions). + */ + TOOL_CACHE = 'TOOL_CACHE', /** * Key for the roles cache. */ From cc7f61096be47ab2cd4e155bd44c18350f027f05 Mon Sep 17 00:00:00 2001 From: Dustin Healy <54083382+dustinhealy@users.noreply.github.com> Date: Wed, 11 Feb 2026 19:46:41 -0800 Subject: [PATCH 10/55] =?UTF-8?q?=F0=9F=92=A1=20fix:=20System=20Theme=20Pi?= =?UTF-8?q?cker=20Selection=20(#11220)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: theme picker selection * refactor: remove problematic Jotai use and replace with React state and localStorage implementation * chore: address comments from Copilot + LibreChat Agent assisted reviewers * chore: remove unnecessary edit * chore: remove space --- .../client/src/components/ThemeSelector.tsx | 7 - packages/client/src/theme/atoms/themeAtoms.ts | 12 +- .../src/theme/context/ThemeProvider.tsx | 216 +++++++++++++----- 3 files changed, 160 insertions(+), 75 deletions(-) diff --git a/packages/client/src/components/ThemeSelector.tsx b/packages/client/src/components/ThemeSelector.tsx index c1e20358df..b817c41d7e 100644 --- a/packages/client/src/components/ThemeSelector.tsx +++ b/packages/client/src/components/ThemeSelector.tsx @@ -77,13 +77,6 @@ const ThemeSelector = ({ returnThemeOnly }: { returnThemeOnly?: boolean }) => { [setTheme, localize], ); - useEffect(() => { - if (theme === 'system') { - const prefersDarkScheme = window.matchMedia('(prefers-color-scheme: dark)').matches; - setTheme(prefersDarkScheme ? 'dark' : 'light'); - } - }, [theme, setTheme]); - useEffect(() => { if (announcement) { const timeout = setTimeout(() => setAnnouncement(''), 1000); diff --git a/packages/client/src/theme/atoms/themeAtoms.ts b/packages/client/src/theme/atoms/themeAtoms.ts index 316d092fb0..0babc4036b 100644 --- a/packages/client/src/theme/atoms/themeAtoms.ts +++ b/packages/client/src/theme/atoms/themeAtoms.ts @@ -1,17 +1,18 @@ +// This file is kept for backward compatibility but is no longer used internally. +// Theme state is now managed via React useState + localStorage in ThemeProvider. + import { atomWithStorage } from 'jotai/utils'; import { IThemeRGB } from '../types'; /** - * Atom for storing the theme mode (light/dark/system) in localStorage - * Key: 'color-theme' + * @deprecated Use ThemeContext instead. This atom is no longer used internally. */ export const themeModeAtom = atomWithStorage('color-theme', 'system', undefined, { getOnInit: true, }); /** - * Atom for storing custom theme colors in localStorage - * Key: 'theme-colors' + * @deprecated Use ThemeContext instead. This atom is no longer used internally. */ export const themeColorsAtom = atomWithStorage( 'theme-colors', @@ -23,8 +24,7 @@ export const themeColorsAtom = atomWithStorage( ); /** - * Atom for storing the theme name in localStorage - * Key: 'theme-name' + * @deprecated Use ThemeContext instead. This atom is no longer used internally. */ export const themeNameAtom = atomWithStorage( 'theme-name', diff --git a/packages/client/src/theme/context/ThemeProvider.tsx b/packages/client/src/theme/context/ThemeProvider.tsx index c803796164..30773d222a 100644 --- a/packages/client/src/theme/context/ThemeProvider.tsx +++ b/packages/client/src/theme/context/ThemeProvider.tsx @@ -1,8 +1,10 @@ -import React, { createContext, useContext, useEffect, useMemo, useCallback, useRef } from 'react'; -import { useAtom } from 'jotai'; +import React, { createContext, useContext, useEffect, useMemo, useCallback, useState, useRef } from 'react'; import { IThemeRGB } from '../types'; import applyTheme from '../utils/applyTheme'; -import { themeModeAtom, themeColorsAtom, themeNameAtom } from '../atoms/themeAtoms'; + +const THEME_KEY = 'color-theme'; +const THEME_COLORS_KEY = 'theme-colors'; +const THEME_NAME_KEY = 'theme-name'; type ThemeContextType = { theme: string; // 'light' | 'dark' | 'system' @@ -40,6 +42,70 @@ export const isDark = (theme: string): boolean => { return theme === 'dark'; }; +/** + * Validate that a parsed value looks like an IThemeRGB object + */ +const isValidThemeColors = (value: unknown): value is IThemeRGB => { + if (typeof value !== 'object' || value === null || Array.isArray(value)) { + return false; + } + for (const key of Object.keys(value)) { + const val = (value as Record)[key]; + if (val !== undefined && typeof val !== 'string') { + return false; + } + } + return true; +}; + +/** + * Get initial theme from localStorage or default to 'system' + */ +const getInitialTheme = (): string => { + if (typeof window === 'undefined') return 'system'; + try { + const stored = localStorage.getItem(THEME_KEY); + if (stored && ['light', 'dark', 'system'].includes(stored)) { + return stored; + } + } catch { + // localStorage not available + } + return 'system'; +}; + +/** + * Get initial theme colors from localStorage + */ +const getInitialThemeColors = (): IThemeRGB | undefined => { + if (typeof window === 'undefined') return undefined; + try { + const stored = localStorage.getItem(THEME_COLORS_KEY); + if (stored) { + const parsed = JSON.parse(stored); + if (isValidThemeColors(parsed)) { + return parsed; + } + } + } catch { + // localStorage not available or invalid JSON + } + return undefined; +}; + +/** + * Get initial theme name from localStorage + */ +const getInitialThemeName = (): string | undefined => { + if (typeof window === 'undefined') return undefined; + try { + return localStorage.getItem(THEME_NAME_KEY) || undefined; + } catch { + // localStorage not available + } + return undefined; +}; + /** * ThemeProvider component that handles both dark/light mode switching * and dynamic color themes via CSS variables with localStorage persistence @@ -50,102 +116,128 @@ export function ThemeProvider({ themeName: propThemeName, initialTheme, }: ThemeProviderProps) { - // Use jotai atoms for persistent state - const [theme, setTheme] = useAtom(themeModeAtom); - const [storedThemeRGB, setStoredThemeRGB] = useAtom(themeColorsAtom); - const [storedThemeName, setStoredThemeName] = useAtom(themeNameAtom); + const [theme, setThemeState] = useState(getInitialTheme); + const [themeRGB, setThemeRGBState] = useState(getInitialThemeColors); + const [themeName, setThemeNameState] = useState(getInitialThemeName); // Track if props have been initialized - const propsInitialized = useRef(false); + const initialized = useRef(false); + + const setTheme = useCallback((newTheme: string) => { + setThemeState(newTheme); + if (typeof window === 'undefined') return; + try { + localStorage.setItem(THEME_KEY, newTheme); + } catch { + // localStorage not available + } + }, []); + + const setThemeRGB = useCallback((colors?: IThemeRGB) => { + setThemeRGBState(colors); + if (typeof window === 'undefined') return; + try { + if (colors) { + localStorage.setItem(THEME_COLORS_KEY, JSON.stringify(colors)); + } else { + localStorage.removeItem(THEME_COLORS_KEY); + } + } catch { + // localStorage not available + } + }, []); + + const setThemeName = useCallback((name?: string) => { + setThemeNameState(name); + if (typeof window === 'undefined') return; + try { + if (name) { + localStorage.setItem(THEME_NAME_KEY, name); + } else { + localStorage.removeItem(THEME_NAME_KEY); + } + } catch { + // localStorage not available + } + }, []); // Initialize from props only once on mount useEffect(() => { - if (!propsInitialized.current) { - propsInitialized.current = true; + if (initialized.current) return; + initialized.current = true; - // Set initial theme if provided - if (initialTheme) { - setTheme(initialTheme); - } - - // Set initial theme colors if provided - if (propThemeRGB) { - setStoredThemeRGB(propThemeRGB); - } - - // Set initial theme name if provided - if (propThemeName) { - setStoredThemeName(propThemeName); - } + // Set initial theme if provided + if (initialTheme) { + setTheme(initialTheme); } - }, [initialTheme, propThemeRGB, propThemeName, setTheme, setStoredThemeRGB, setStoredThemeName]); + + // Set initial theme colors if provided + if (propThemeRGB) { + setThemeRGB(propThemeRGB); + } + + // Set initial theme name if provided + if (propThemeName) { + setThemeName(propThemeName); + } + }, [initialTheme, propThemeRGB, propThemeName, setTheme, setThemeRGB, setThemeName]); // Apply class-based dark mode - const applyThemeMode = useCallback((rawTheme: string) => { + const applyThemeMode = useCallback((currentTheme: string) => { const root = window.document.documentElement; - const darkMode = isDark(rawTheme); + const darkMode = isDark(currentTheme); root.classList.remove(darkMode ? 'light' : 'dark'); root.classList.add(darkMode ? 'dark' : 'light'); }, []); - // Handle system theme changes - useEffect(() => { - const mediaQuery = window.matchMedia('(prefers-color-scheme: dark)'); - const changeThemeOnSystemChange = () => { - if (theme === 'system') { - applyThemeMode('system'); - } - }; - - mediaQuery.addEventListener('change', changeThemeOnSystemChange); - return () => { - mediaQuery.removeEventListener('change', changeThemeOnSystemChange); - }; - }, [theme, applyThemeMode]); - - // Apply dark/light mode class + // Apply theme mode whenever theme changes useEffect(() => { applyThemeMode(theme); }, [theme, applyThemeMode]); + // Listen for system theme changes when theme is 'system' + useEffect(() => { + if (theme !== 'system') return; + + const mediaQuery = window.matchMedia('(prefers-color-scheme: dark)'); + const handleChange = () => { + applyThemeMode('system'); + }; + + mediaQuery.addEventListener('change', handleChange); + return () => mediaQuery.removeEventListener('change', handleChange); + }, [theme, applyThemeMode]); + // Apply dynamic color theme useEffect(() => { - if (storedThemeRGB) { - applyTheme(storedThemeRGB); + if (themeRGB) { + applyTheme(themeRGB); } - }, [storedThemeRGB]); + }, [themeRGB]); // Reset theme function const resetTheme = useCallback(() => { setTheme('system'); - setStoredThemeRGB(undefined); - setStoredThemeName(undefined); + setThemeRGB(undefined); + setThemeName(undefined); // Remove any custom CSS variables const root = document.documentElement; const customProps = Array.from(root.style).filter((prop) => prop.startsWith('--')); customProps.forEach((prop) => root.style.removeProperty(prop)); - }, [setTheme, setStoredThemeRGB, setStoredThemeName]); + }, [setTheme, setThemeRGB, setThemeName]); const value = useMemo( () => ({ theme, setTheme, - themeRGB: storedThemeRGB, - setThemeRGB: setStoredThemeRGB, - themeName: storedThemeName, - setThemeName: setStoredThemeName, + themeRGB, + setThemeRGB, + themeName, + setThemeName, resetTheme, }), - [ - theme, - setTheme, - storedThemeRGB, - setStoredThemeRGB, - storedThemeName, - setStoredThemeName, - resetTheme, - ], + [theme, setTheme, themeRGB, setThemeRGB, themeName, setThemeName, resetTheme], ); return {children}; From 72a30cd9c48fa450c208c9413e5b953d663b8cdd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 22:56:06 -0500 Subject: [PATCH 11/55] =?UTF-8?q?=F0=9F=8C=8D=20i18n:=20Update=20translati?= =?UTF-8?q?on.json=20with=20latest=20translations=20(#11739)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- client/src/locales/en/translation.json | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/client/src/locales/en/translation.json b/client/src/locales/en/translation.json index 491bc2258b..a9f8805d9b 100644 --- a/client/src/locales/en/translation.json +++ b/client/src/locales/en/translation.json @@ -857,8 +857,6 @@ "com_ui_copy_url_to_clipboard": "Copy URL to clipboard", "com_ui_create": "Create", "com_ui_create_api_key": "Create API Key", - "com_ui_created": "Created", - "com_ui_creating": "Creating...", "com_ui_create_assistant": "Create Assistant", "com_ui_create_link": "Create link", "com_ui_create_mcp_server": "Create MCP server", @@ -867,6 +865,7 @@ "com_ui_create_prompt": "Create Prompt", "com_ui_create_prompt_page": "New Prompt Configuration Page", "com_ui_created": "Created", + "com_ui_creating": "Creating...", "com_ui_creating_image": "Creating image. May take a moment", "com_ui_current": "Current", "com_ui_currently_production": "Currently in production", @@ -896,7 +895,6 @@ "com_ui_decline": "I do not accept", "com_ui_default_post_request": "Default (POST request)", "com_ui_delete": "Delete", - "com_ui_deleting": "Deleting...", "com_ui_delete_action": "Delete Action", "com_ui_delete_action_confirm": "Are you sure you want to delete this action?", "com_ui_delete_agent": "Delete Agent", @@ -908,6 +906,8 @@ "com_ui_delete_confirm_strong": "This will delete {{title}}", "com_ui_delete_conversation": "Delete chat?", "com_ui_delete_conversation_tooltip": "Delete conversation", + "com_ui_delete_mcp_server": "Delete MCP Server?", + "com_ui_delete_mcp_server_name": "Delete MCP server {{0}}", "com_ui_delete_memory": "Delete Memory", "com_ui_delete_not_allowed": "Delete operation is not allowed", "com_ui_delete_preset": "Delete Preset?", @@ -919,9 +919,8 @@ "com_ui_delete_tool": "Delete Tool", "com_ui_delete_tool_confirm": "Are you sure you want to delete this tool?", "com_ui_delete_tool_save_reminder": "Tool removed. Save the agent to apply changes.", - "com_ui_delete_mcp_server": "Delete MCP Server?", - "com_ui_delete_mcp_server_name": "Delete MCP server {{0}}", "com_ui_deleted": "Deleted", + "com_ui_deleting": "Deleting...", "com_ui_deleting_file": "Deleting file...", "com_ui_descending": "Desc", "com_ui_description": "Description", @@ -1117,7 +1116,7 @@ "com_ui_mcp_server": "MCP Server", "com_ui_mcp_server_connection_failed": "Connection attempt to the provided MCP server failed. Please make sure the URL, the server type, and any authentication configuration are correct, then try again. Also ensure the URL is reachable.", "com_ui_mcp_server_created": "MCP server created successfully", - "com_ui_mcp_server_delete_confirm": "Are you sure you want to delete the {{0}} MCP server?", + "com_ui_mcp_server_delete_confirm": "Are you sure you want to delete this MCP server?", "com_ui_mcp_server_deleted": "MCP server deleted successfully", "com_ui_mcp_server_role_editor": "MCP Server Editor", "com_ui_mcp_server_role_editor_desc": "Can view, use, and edit MCP servers", @@ -1444,8 +1443,8 @@ "com_ui_unset": "Unset", "com_ui_untitled": "Untitled", "com_ui_update": "Update", - "com_ui_updating": "Updating...", "com_ui_update_mcp_server": "Update MCP server", + "com_ui_updating": "Updating...", "com_ui_upload": "Upload", "com_ui_upload_agent_avatar": "Successfully updated agent avatar", "com_ui_upload_agent_avatar_label": "Upload agent avatar image", From 599f4a11f185d79ca885c60561c20c58fc63a31f Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 12 Feb 2026 14:22:05 -0500 Subject: [PATCH 12/55] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20fix:=20Secure=20M?= =?UTF-8?q?CP/Actions=20OAuth=20Flows,=20Resolve=20Race=20Condition=20&=20?= =?UTF-8?q?Tool=20Cache=20Cleanup=20(#11756)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 fix: Update OAuth error message for clarity - Changed the default error message in the OAuth error route from 'Unknown error' to 'Unknown OAuth error' to provide clearer context during authentication failures. * 🔒 feat: Enhance OAuth flow with CSRF protection and session management - Implemented CSRF protection for OAuth flows by introducing `generateOAuthCsrfToken`, `setOAuthCsrfCookie`, and `validateOAuthCsrf` functions. - Added session management for OAuth with `setOAuthSession` and `validateOAuthSession` middleware. - Updated routes to bind CSRF tokens for MCP and action OAuth flows, ensuring secure authentication. - Enhanced tests to validate CSRF handling and session management in OAuth processes. * 🔧 refactor: Invalidate cached tools after user plugin disconnection - Added a call to `invalidateCachedTools` in the `updateUserPluginsController` to ensure that cached tools are refreshed when a user disconnects from an MCP server after a plugin authentication update. This change improves the accuracy of tool data for users. * chore: imports order * fix: domain separator regex usage in ToolService - Moved the declaration of `domainSeparatorRegex` to avoid redundancy in the `loadActionToolsForExecution` function, improving code clarity and performance. * chore: OAuth flow error handling and CSRF token generation - Enhanced the OAuth callback route to validate the flow ID format, ensuring proper error handling for invalid states. - Updated the CSRF token generation function to require a JWT secret, throwing an error if not provided, which improves security and clarity in token generation. - Adjusted tests to reflect changes in flow ID handling and ensure robust validation across various scenarios. --- api/server/controllers/UserController.js | 2 + api/server/middleware/requireJwtAuth.js | 3 - api/server/routes/__tests__/mcp.spec.js | 215 +++++++++++++----- api/server/routes/actions.js | 51 ++++- api/server/routes/mcp.js | 96 ++++++-- api/server/routes/oauth.js | 2 +- api/server/services/ToolService.js | 2 +- .../Chat/Messages/Content/ToolCall.tsx | 47 +++- packages/api/src/mcp/MCPConnectionFactory.ts | 82 +++---- .../__tests__/MCPConnectionFactory.test.ts | 61 ++++- packages/api/src/oauth/csrf.ts | 89 ++++++++ packages/api/src/oauth/index.ts | 1 + packages/data-provider/src/api-endpoints.ts | 5 + packages/data-provider/src/data-service.ts | 8 + 14 files changed, 523 insertions(+), 141 deletions(-) create mode 100644 packages/api/src/oauth/csrf.ts diff --git a/api/server/controllers/UserController.js b/api/server/controllers/UserController.js index 0f17b4d3a9..7a9dd8125e 100644 --- a/api/server/controllers/UserController.js +++ b/api/server/controllers/UserController.js @@ -36,6 +36,7 @@ const { const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/services/PluginService'); const { verifyEmail, resendVerificationEmail } = require('~/server/services/AuthService'); const { getMCPManager, getFlowStateManager, getMCPServersRegistry } = require('~/config'); +const { invalidateCachedTools } = require('~/server/services/Config/getCachedTools'); const { needsRefresh, getNewS3URL } = require('~/server/services/Files/S3/crud'); const { processDeleteRequest } = require('~/server/services/Files/process'); const { getAppConfig } = require('~/server/services/Config'); @@ -215,6 +216,7 @@ const updateUserPluginsController = async (req, res) => { `[updateUserPluginsController] Attempting disconnect of MCP server "${serverName}" for user ${user.id} after plugin auth update.`, ); await mcpManager.disconnectUserConnection(user.id, serverName); + await invalidateCachedTools({ userId: user.id, serverName }); } } catch (disconnectError) { logger.error( diff --git a/api/server/middleware/requireJwtAuth.js b/api/server/middleware/requireJwtAuth.js index ed83c4773e..16b107aefc 100644 --- a/api/server/middleware/requireJwtAuth.js +++ b/api/server/middleware/requireJwtAuth.js @@ -7,16 +7,13 @@ const { isEnabled } = require('@librechat/api'); * Switches between JWT and OpenID authentication based on cookies and environment settings */ const requireJwtAuth = (req, res, next) => { - // Check if token provider is specified in cookies const cookieHeader = req.headers.cookie; const tokenProvider = cookieHeader ? cookies.parse(cookieHeader).token_provider : null; - // Use OpenID authentication if token provider is OpenID and OPENID_REUSE_TOKENS is enabled if (tokenProvider === 'openid' && isEnabled(process.env.OPENID_REUSE_TOKENS)) { return passport.authenticate('openidJwt', { session: false })(req, res, next); } - // Default to standard JWT authentication return passport.authenticate('jwt', { session: false })(req, res, next); }; diff --git a/api/server/routes/__tests__/mcp.spec.js b/api/server/routes/__tests__/mcp.spec.js index 26d7988f0a..e87fcf8f15 100644 --- a/api/server/routes/__tests__/mcp.spec.js +++ b/api/server/routes/__tests__/mcp.spec.js @@ -1,8 +1,18 @@ +const crypto = require('crypto'); const express = require('express'); const request = require('supertest'); const mongoose = require('mongoose'); -const { MongoMemoryServer } = require('mongodb-memory-server'); +const cookieParser = require('cookie-parser'); const { getBasePath } = require('@librechat/api'); +const { MongoMemoryServer } = require('mongodb-memory-server'); + +function generateTestCsrfToken(flowId) { + return crypto + .createHmac('sha256', process.env.JWT_SECRET) + .update(flowId) + .digest('hex') + .slice(0, 32); +} const mockRegistryInstance = { getServerConfig: jest.fn(), @@ -130,6 +140,7 @@ describe('MCP Routes', () => { app = express(); app.use(express.json()); + app.use(cookieParser()); app.use((req, res, next) => { req.user = { id: 'test-user-id' }; @@ -168,12 +179,12 @@ describe('MCP Routes', () => { MCPOAuthHandler.initiateOAuthFlow.mockResolvedValue({ authorizationUrl: 'https://oauth.example.com/auth', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); const response = await request(app).get('/api/mcp/test-server/oauth/initiate').query({ userId: 'test-user-id', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); expect(response.status).toBe(302); @@ -190,7 +201,7 @@ describe('MCP Routes', () => { it('should return 403 when userId does not match authenticated user', async () => { const response = await request(app).get('/api/mcp/test-server/oauth/initiate').query({ userId: 'different-user-id', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); expect(response.status).toBe(403); @@ -228,7 +239,7 @@ describe('MCP Routes', () => { const response = await request(app).get('/api/mcp/test-server/oauth/initiate').query({ userId: 'test-user-id', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); expect(response.status).toBe(400); @@ -245,7 +256,7 @@ describe('MCP Routes', () => { const response = await request(app).get('/api/mcp/test-server/oauth/initiate').query({ userId: 'test-user-id', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); expect(response.status).toBe(500); @@ -255,7 +266,7 @@ describe('MCP Routes', () => { it('should return 400 when flow state metadata is null', async () => { const mockFlowManager = { getFlowState: jest.fn().mockResolvedValue({ - id: 'test-flow-id', + id: 'test-user-id:test-server', metadata: null, }), }; @@ -265,7 +276,7 @@ describe('MCP Routes', () => { const response = await request(app).get('/api/mcp/test-server/oauth/initiate').query({ userId: 'test-user-id', - flowId: 'test-flow-id', + flowId: 'test-user-id:test-server', }); expect(response.status).toBe(400); @@ -280,7 +291,7 @@ describe('MCP Routes', () => { it('should redirect to error page when OAuth error is received', async () => { const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ error: 'access_denied', - state: 'test-flow-id', + state: 'test-user-id:test-server', }); const basePath = getBasePath(); @@ -290,7 +301,7 @@ describe('MCP Routes', () => { it('should redirect to error page when code is missing', async () => { const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - state: 'test-flow-id', + state: 'test-user-id:test-server', }); const basePath = getBasePath(); @@ -308,15 +319,50 @@ describe('MCP Routes', () => { expect(response.headers.location).toBe(`${basePath}/oauth/error?error=missing_state`); }); - it('should redirect to error page when flow state is not found', async () => { - MCPOAuthHandler.getFlowState.mockResolvedValue(null); - + it('should redirect to error page when CSRF cookie is missing', async () => { const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ code: 'test-auth-code', - state: 'invalid-flow-id', + state: 'test-user-id:test-server', }); const basePath = getBasePath(); + expect(response.status).toBe(302); + expect(response.headers.location).toBe( + `${basePath}/oauth/error?error=csrf_validation_failed`, + ); + }); + + it('should redirect to error page when CSRF cookie does not match state', async () => { + const csrfToken = generateTestCsrfToken('different-flow-id'); + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: 'test-user-id:test-server', + }); + const basePath = getBasePath(); + + expect(response.status).toBe(302); + expect(response.headers.location).toBe( + `${basePath}/oauth/error?error=csrf_validation_failed`, + ); + }); + + it('should redirect to error page when flow state is not found', async () => { + MCPOAuthHandler.getFlowState.mockResolvedValue(null); + const flowId = 'invalid-flow:id'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); + const basePath = getBasePath(); + expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/error?error=invalid_state`); }); @@ -369,16 +415,22 @@ describe('MCP Routes', () => { }); setCachedTools.mockResolvedValue(); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/success?serverName=test-server`); expect(MCPOAuthHandler.completeOAuthFlow).toHaveBeenCalledWith( - 'test-flow-id', + flowId, 'test-auth-code', mockFlowManager, {}, @@ -400,16 +452,24 @@ describe('MCP Routes', () => { 'mcp_oauth', mockTokens, ); - expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith('test-flow-id', 'mcp_get_tokens'); + expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith( + 'test-user-id:test-server', + 'mcp_get_tokens', + ); }); it('should redirect to error page when callback processing fails', async () => { MCPOAuthHandler.getFlowState.mockRejectedValue(new Error('Callback error')); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); @@ -442,15 +502,21 @@ describe('MCP Routes', () => { getLogStores.mockReturnValue({}); require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/success?serverName=test-server`); - expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith('test-flow-id', 'mcp_get_tokens'); + expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith(flowId, 'mcp_get_tokens'); }); it('should handle reconnection failure after OAuth', async () => { @@ -488,16 +554,22 @@ describe('MCP Routes', () => { getCachedTools.mockResolvedValue({}); setCachedTools.mockResolvedValue(); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/success?serverName=test-server`); expect(MCPTokenStorage.storeTokens).toHaveBeenCalled(); - expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith('test-flow-id', 'mcp_get_tokens'); + expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith(flowId, 'mcp_get_tokens'); }); it('should redirect to error page if token storage fails', async () => { @@ -530,10 +602,16 @@ describe('MCP Routes', () => { }; require('~/config').getMCPManager.mockReturnValue(mockMcpManager); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); @@ -589,22 +667,27 @@ describe('MCP Routes', () => { clearReconnection: jest.fn(), }); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/success?serverName=test-server`); - // Verify storeTokens was called with ORIGINAL flow state credentials expect(MCPTokenStorage.storeTokens).toHaveBeenCalledWith( expect.objectContaining({ userId: 'test-user-id', serverName: 'test-server', tokens: mockTokens, - clientInfo: clientInfo, // Uses original flow state, not any "updated" credentials + clientInfo: clientInfo, metadata: flowState.metadata, }), ); @@ -631,16 +714,21 @@ describe('MCP Routes', () => { getLogStores.mockReturnValue({}); require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager); - const response = await request(app).get('/api/mcp/test-server/oauth/callback').query({ - code: 'test-auth-code', - state: 'test-flow-id', - }); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + + const response = await request(app) + .get('/api/mcp/test-server/oauth/callback') + .set('Cookie', [`oauth_csrf=${csrfToken}`]) + .query({ + code: 'test-auth-code', + state: flowId, + }); const basePath = getBasePath(); expect(response.status).toBe(302); expect(response.headers.location).toBe(`${basePath}/oauth/success?serverName=test-server`); - // Verify completeOAuthFlow was NOT called (prevented duplicate) expect(MCPOAuthHandler.completeOAuthFlow).not.toHaveBeenCalled(); expect(MCPTokenStorage.storeTokens).not.toHaveBeenCalled(); }); @@ -755,7 +843,7 @@ describe('MCP Routes', () => { getLogStores.mockReturnValue({}); require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager); - const response = await request(app).get('/api/mcp/oauth/status/test-flow-id'); + const response = await request(app).get('/api/mcp/oauth/status/test-user-id:test-server'); expect(response.status).toBe(200); expect(response.body).toEqual({ @@ -766,6 +854,13 @@ describe('MCP Routes', () => { }); }); + it('should return 403 when flowId does not match authenticated user', async () => { + const response = await request(app).get('/api/mcp/oauth/status/other-user-id:test-server'); + + expect(response.status).toBe(403); + expect(response.body).toEqual({ error: 'Access denied' }); + }); + it('should return 404 when flow is not found', async () => { const mockFlowManager = { getFlowState: jest.fn().mockResolvedValue(null), @@ -774,7 +869,7 @@ describe('MCP Routes', () => { getLogStores.mockReturnValue({}); require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager); - const response = await request(app).get('/api/mcp/oauth/status/non-existent-flow'); + const response = await request(app).get('/api/mcp/oauth/status/test-user-id:non-existent'); expect(response.status).toBe(404); expect(response.body).toEqual({ error: 'Flow not found' }); @@ -788,7 +883,7 @@ describe('MCP Routes', () => { getLogStores.mockReturnValue({}); require('~/config').getFlowStateManager.mockReturnValue(mockFlowManager); - const response = await request(app).get('/api/mcp/oauth/status/error-flow-id'); + const response = await request(app).get('/api/mcp/oauth/status/test-user-id:error-server'); expect(response.status).toBe(500); expect(response.body).toEqual({ error: 'Failed to get flow status' }); @@ -1375,7 +1470,7 @@ describe('MCP Routes', () => { refresh_token: 'edge-refresh-token', }; MCPOAuthHandler.getFlowState = jest.fn().mockResolvedValue({ - id: 'test-flow-id', + id: 'test-user-id:test-server', userId: 'test-user-id', metadata: { serverUrl: 'https://example.com', @@ -1403,8 +1498,12 @@ describe('MCP Routes', () => { }; require('~/config').getMCPManager.mockReturnValue(mockMcpManager); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + const response = await request(app) - .get('/api/mcp/test-server/oauth/callback?code=test-code&state=test-flow-id') + .get(`/api/mcp/test-server/oauth/callback?code=test-code&state=${flowId}`) + .set('Cookie', [`oauth_csrf=${csrfToken}`]) .expect(302); const basePath = getBasePath(); @@ -1424,7 +1523,7 @@ describe('MCP Routes', () => { const mockFlowManager = { getFlowState: jest.fn().mockResolvedValue({ - id: 'test-flow-id', + id: 'test-user-id:test-server', userId: 'test-user-id', metadata: { serverUrl: 'https://example.com', oauth: {} }, clientInfo: {}, @@ -1453,8 +1552,12 @@ describe('MCP Routes', () => { }; require('~/config').getMCPManager.mockReturnValue(mockMcpManager); + const flowId = 'test-user-id:test-server'; + const csrfToken = generateTestCsrfToken(flowId); + const response = await request(app) - .get('/api/mcp/test-server/oauth/callback?code=test-code&state=test-flow-id') + .get(`/api/mcp/test-server/oauth/callback?code=test-code&state=${flowId}`) + .set('Cookie', [`oauth_csrf=${csrfToken}`]) .expect(302); const basePath = getBasePath(); diff --git a/api/server/routes/actions.js b/api/server/routes/actions.js index 14474a53d3..806edc66cc 100644 --- a/api/server/routes/actions.js +++ b/api/server/routes/actions.js @@ -1,14 +1,47 @@ const express = require('express'); const jwt = require('jsonwebtoken'); -const { getAccessToken, getBasePath } = require('@librechat/api'); const { logger } = require('@librechat/data-schemas'); const { CacheKeys } = require('librechat-data-provider'); +const { + getBasePath, + getAccessToken, + setOAuthSession, + validateOAuthCsrf, + OAUTH_CSRF_COOKIE, + setOAuthCsrfCookie, + validateOAuthSession, + OAUTH_SESSION_COOKIE, +} = require('@librechat/api'); const { findToken, updateToken, createToken } = require('~/models'); +const { requireJwtAuth } = require('~/server/middleware'); const { getFlowStateManager } = require('~/config'); const { getLogStores } = require('~/cache'); const router = express.Router(); const JWT_SECRET = process.env.JWT_SECRET; +const OAUTH_CSRF_COOKIE_PATH = '/api/actions'; + +/** + * Sets a CSRF cookie binding the action OAuth flow to the current browser session. + * Must be called before the user opens the IdP authorization URL. + * + * @route POST /actions/:action_id/oauth/bind + */ +router.post('/:action_id/oauth/bind', requireJwtAuth, setOAuthSession, async (req, res) => { + try { + const { action_id } = req.params; + const user = req.user; + if (!user?.id) { + return res.status(401).json({ error: 'User not authenticated' }); + } + const flowId = `${user.id}:${action_id}`; + setOAuthCsrfCookie(res, flowId, OAUTH_CSRF_COOKIE_PATH); + res.json({ success: true }); + } catch (error) { + logger.error('[Action OAuth] Failed to set CSRF binding cookie', error); + res.status(500).json({ error: 'Failed to bind OAuth flow' }); + } +}); /** * Handles the OAuth callback and exchanges the authorization code for tokens. @@ -45,7 +78,22 @@ router.get('/:action_id/oauth/callback', async (req, res) => { await flowManager.failFlow(identifier, 'oauth', 'Invalid user ID in state parameter'); return res.redirect(`${basePath}/oauth/error?error=invalid_state`); } + identifier = `${decodedState.user}:${action_id}`; + + if ( + !validateOAuthCsrf(req, res, identifier, OAUTH_CSRF_COOKIE_PATH) && + !validateOAuthSession(req, decodedState.user) + ) { + logger.error('[Action OAuth] CSRF validation failed: no valid CSRF or session cookie', { + identifier, + hasCsrfCookie: !!req.cookies?.[OAUTH_CSRF_COOKIE], + hasSessionCookie: !!req.cookies?.[OAUTH_SESSION_COOKIE], + }); + await flowManager.failFlow(identifier, 'oauth', 'CSRF validation failed'); + return res.redirect(`${basePath}/oauth/error?error=csrf_validation_failed`); + } + const flowState = await flowManager.getFlowState(identifier, 'oauth'); if (!flowState) { throw new Error('OAuth flow not found'); @@ -71,7 +119,6 @@ router.get('/:action_id/oauth/callback', async (req, res) => { ); await flowManager.completeFlow(identifier, 'oauth', tokenData); - /** Redirect to React success page */ const serverName = flowState.metadata?.action_name || `Action ${action_id}`; const redirectUrl = `${basePath}/oauth/success?serverName=${encodeURIComponent(serverName)}`; res.redirect(redirectUrl); diff --git a/api/server/routes/mcp.js b/api/server/routes/mcp.js index f01c7ff71c..2db8c2c462 100644 --- a/api/server/routes/mcp.js +++ b/api/server/routes/mcp.js @@ -8,18 +8,32 @@ const { Permissions, } = require('librechat-data-provider'); const { + getBasePath, createSafeUser, MCPOAuthHandler, MCPTokenStorage, - getBasePath, + setOAuthSession, getUserMCPAuthMap, + validateOAuthCsrf, + OAUTH_CSRF_COOKIE, + setOAuthCsrfCookie, generateCheckAccess, + validateOAuthSession, + OAUTH_SESSION_COOKIE, } = require('@librechat/api'); const { - getMCPManager, - getFlowStateManager, + createMCPServerController, + updateMCPServerController, + deleteMCPServerController, + getMCPServersList, + getMCPServerById, + getMCPTools, +} = require('~/server/controllers/mcp'); +const { getOAuthReconnectionManager, getMCPServersRegistry, + getFlowStateManager, + getMCPManager, } = require('~/config'); const { getMCPSetupData, getServerConnectionStatus } = require('~/server/services/MCP'); const { requireJwtAuth, canAccessMCPServerResource } = require('~/server/middleware'); @@ -27,20 +41,14 @@ const { findToken, updateToken, createToken, deleteTokens } = require('~/models' const { getUserPluginAuthValue } = require('~/server/services/PluginService'); const { updateMCPServerTools } = require('~/server/services/Config/mcp'); const { reinitMCPServer } = require('~/server/services/Tools/mcp'); -const { getMCPTools } = require('~/server/controllers/mcp'); const { findPluginAuthsByKeys } = require('~/models'); const { getRoleByName } = require('~/models/Role'); const { getLogStores } = require('~/cache'); -const { - createMCPServerController, - getMCPServerById, - getMCPServersList, - updateMCPServerController, - deleteMCPServerController, -} = require('~/server/controllers/mcp'); const router = Router(); +const OAUTH_CSRF_COOKIE_PATH = '/api/mcp'; + /** * Get all MCP tools available to the user * Returns only MCP tools, completely decoupled from regular LibreChat tools @@ -53,7 +61,7 @@ router.get('/tools', requireJwtAuth, async (req, res) => { * Initiate OAuth flow * This endpoint is called when the user clicks the auth link in the UI */ -router.get('/:serverName/oauth/initiate', requireJwtAuth, async (req, res) => { +router.get('/:serverName/oauth/initiate', requireJwtAuth, setOAuthSession, async (req, res) => { try { const { serverName } = req.params; const { userId, flowId } = req.query; @@ -93,7 +101,7 @@ router.get('/:serverName/oauth/initiate', requireJwtAuth, async (req, res) => { logger.debug('[MCP OAuth] OAuth flow initiated', { oauthFlowId, authorizationUrl }); - // Redirect user to the authorization URL + setOAuthCsrfCookie(res, oauthFlowId, OAUTH_CSRF_COOKIE_PATH); res.redirect(authorizationUrl); } catch (error) { logger.error('[MCP OAuth] Failed to initiate OAuth', error); @@ -138,6 +146,25 @@ router.get('/:serverName/oauth/callback', async (req, res) => { const flowId = state; logger.debug('[MCP OAuth] Using flow ID from state', { flowId }); + const flowParts = flowId.split(':'); + if (flowParts.length < 2 || !flowParts[0] || !flowParts[1]) { + logger.error('[MCP OAuth] Invalid flow ID format in state', { flowId }); + return res.redirect(`${basePath}/oauth/error?error=invalid_state`); + } + + const [flowUserId] = flowParts; + if ( + !validateOAuthCsrf(req, res, flowId, OAUTH_CSRF_COOKIE_PATH) && + !validateOAuthSession(req, flowUserId) + ) { + logger.error('[MCP OAuth] CSRF validation failed: no valid CSRF or session cookie', { + flowId, + hasCsrfCookie: !!req.cookies?.[OAUTH_CSRF_COOKIE], + hasSessionCookie: !!req.cookies?.[OAUTH_SESSION_COOKIE], + }); + return res.redirect(`${basePath}/oauth/error?error=csrf_validation_failed`); + } + const flowsCache = getLogStores(CacheKeys.FLOWS); const flowManager = getFlowStateManager(flowsCache); @@ -302,13 +329,47 @@ router.get('/oauth/tokens/:flowId', requireJwtAuth, async (req, res) => { } }); +/** + * Set CSRF binding cookie for OAuth flows initiated outside of HTTP request/response + * (e.g. during chat via SSE). The frontend should call this before opening the OAuth URL + * so the callback can verify the browser matches the flow initiator. + */ +router.post('/:serverName/oauth/bind', requireJwtAuth, setOAuthSession, async (req, res) => { + try { + const { serverName } = req.params; + const user = req.user; + + if (!user?.id) { + return res.status(401).json({ error: 'User not authenticated' }); + } + + const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName); + setOAuthCsrfCookie(res, flowId, OAUTH_CSRF_COOKIE_PATH); + + res.json({ success: true }); + } catch (error) { + logger.error('[MCP OAuth] Failed to set CSRF binding cookie', error); + res.status(500).json({ error: 'Failed to bind OAuth flow' }); + } +}); + /** * Check OAuth flow status * This endpoint can be used to poll the status of an OAuth flow */ -router.get('/oauth/status/:flowId', async (req, res) => { +router.get('/oauth/status/:flowId', requireJwtAuth, async (req, res) => { try { const { flowId } = req.params; + const user = req.user; + + if (!user?.id) { + return res.status(401).json({ error: 'User not authenticated' }); + } + + if (!flowId.startsWith(`${user.id}:`) && !flowId.startsWith('system:')) { + return res.status(403).json({ error: 'Access denied' }); + } + const flowsCache = getLogStores(CacheKeys.FLOWS); const flowManager = getFlowStateManager(flowsCache); @@ -375,7 +436,7 @@ router.post('/oauth/cancel/:serverName', requireJwtAuth, async (req, res) => { * Reinitialize MCP server * This endpoint allows reinitializing a specific MCP server */ -router.post('/:serverName/reinitialize', requireJwtAuth, async (req, res) => { +router.post('/:serverName/reinitialize', requireJwtAuth, setOAuthSession, async (req, res) => { try { const { serverName } = req.params; const user = createSafeUser(req.user); @@ -421,6 +482,11 @@ router.post('/:serverName/reinitialize', requireJwtAuth, async (req, res) => { const { success, message, oauthRequired, oauthUrl } = result; + if (oauthRequired) { + const flowId = MCPOAuthHandler.generateFlowId(user.id, serverName); + setOAuthCsrfCookie(res, flowId, OAUTH_CSRF_COOKIE_PATH); + } + res.json({ success, message, diff --git a/api/server/routes/oauth.js b/api/server/routes/oauth.js index 4a2e2f70c6..f4bb5b6026 100644 --- a/api/server/routes/oauth.js +++ b/api/server/routes/oauth.js @@ -29,7 +29,7 @@ const oauthHandler = createOAuthHandler(); router.get('/error', (req, res) => { /** A single error message is pushed by passport when authentication fails. */ - const errorMessage = req.session?.messages?.pop() || 'Unknown error'; + const errorMessage = req.session?.messages?.pop() || 'Unknown OAuth error'; logger.error('Error in OAuth authentication:', { message: errorMessage, }); diff --git a/api/server/services/ToolService.js b/api/server/services/ToolService.js index 7f8c1d0460..eedb95bd4d 100644 --- a/api/server/services/ToolService.js +++ b/api/server/services/ToolService.js @@ -1339,6 +1339,7 @@ async function loadActionToolsForExecution({ }); } + const domainSeparatorRegex = new RegExp(actionDomainSeparator, 'g'); for (const toolName of actionToolNames) { let currentDomain = ''; for (const domain of domainMap.keys()) { @@ -1355,7 +1356,6 @@ async function loadActionToolsForExecution({ const { action, encrypted, zodSchemas, requestBuilders, functionSignatures } = processedActionSets.get(currentDomain); - const domainSeparatorRegex = new RegExp(actionDomainSeparator, 'g'); const normalizedDomain = currentDomain.replace(domainSeparatorRegex, '_'); const functionName = toolName.replace(`${actionDelimiter}${normalizedDomain}`, ''); const functionSig = functionSignatures.find((sig) => sig.name === functionName); diff --git a/client/src/components/Chat/Messages/Content/ToolCall.tsx b/client/src/components/Chat/Messages/Content/ToolCall.tsx index b9feef1bad..c807288b46 100644 --- a/client/src/components/Chat/Messages/Content/ToolCall.tsx +++ b/client/src/components/Chat/Messages/Content/ToolCall.tsx @@ -1,7 +1,12 @@ -import { useMemo, useState, useEffect, useRef, useLayoutEffect } from 'react'; +import { useMemo, useState, useEffect, useRef, useCallback, useLayoutEffect } from 'react'; import { Button } from '@librechat/client'; import { TriangleAlert } from 'lucide-react'; -import { actionDelimiter, actionDomainSeparator, Constants } from 'librechat-data-provider'; +import { + Constants, + dataService, + actionDelimiter, + actionDomainSeparator, +} from 'librechat-data-provider'; import type { TAttachment } from 'librechat-data-provider'; import { useLocalize, useProgress } from '~/hooks'; import { AttachmentGroup } from './Parts'; @@ -36,9 +41,9 @@ export default function ToolCall({ const [isAnimating, setIsAnimating] = useState(false); const prevShowInfoRef = useRef(showInfo); - const { function_name, domain, isMCPToolCall } = useMemo(() => { + const { function_name, domain, isMCPToolCall, mcpServerName } = useMemo(() => { if (typeof name !== 'string') { - return { function_name: '', domain: null, isMCPToolCall: false }; + return { function_name: '', domain: null, isMCPToolCall: false, mcpServerName: '' }; } if (name.includes(Constants.mcp_delimiter)) { const [func, server] = name.split(Constants.mcp_delimiter); @@ -46,6 +51,7 @@ export default function ToolCall({ function_name: func || '', domain: server && (server.replaceAll(actionDomainSeparator, '.') || null), isMCPToolCall: true, + mcpServerName: server || '', }; } const [func, _domain] = name.includes(actionDelimiter) @@ -55,9 +61,40 @@ export default function ToolCall({ function_name: func || '', domain: _domain && (_domain.replaceAll(actionDomainSeparator, '.') || null), isMCPToolCall: false, + mcpServerName: '', }; }, [name]); + const actionId = useMemo(() => { + if (isMCPToolCall || !auth) { + return ''; + } + try { + const url = new URL(auth); + const redirectUri = url.searchParams.get('redirect_uri') || ''; + const match = redirectUri.match(/\/api\/actions\/([^/]+)\/oauth\/callback/); + return match?.[1] || ''; + } catch { + return ''; + } + }, [auth, isMCPToolCall]); + + const handleOAuthClick = useCallback(async () => { + if (!auth) { + return; + } + try { + if (isMCPToolCall && mcpServerName) { + await dataService.bindMCPOAuth(mcpServerName); + } else if (actionId) { + await dataService.bindActionOAuth(actionId); + } + } catch (e) { + logger.error('Failed to bind OAuth CSRF cookie', e); + } + window.open(auth, '_blank', 'noopener,noreferrer'); + }, [auth, isMCPToolCall, mcpServerName, actionId]); + const error = typeof output === 'string' && output.toLowerCase().includes('error processing tool'); @@ -230,7 +267,7 @@ export default function ToolCall({ className="font-mediu inline-flex items-center justify-center rounded-xl px-4 py-2 text-sm" variant="default" rel="noopener noreferrer" - onClick={() => window.open(auth, '_blank', 'noopener,noreferrer')} + onClick={handleOAuthClick} > {localize('com_ui_sign_in_to_domain', { 0: authDomain })} diff --git a/packages/api/src/mcp/MCPConnectionFactory.ts b/packages/api/src/mcp/MCPConnectionFactory.ts index 748cd0a967..a8f631614d 100644 --- a/packages/api/src/mcp/MCPConnectionFactory.ts +++ b/packages/api/src/mcp/MCPConnectionFactory.ts @@ -298,38 +298,45 @@ export class MCPConnectionFactory { const oauthHandler = async (data: { serverUrl?: string }) => { logger.info(`${this.logPrefix} oauthRequired event received`); - // If we just want to initiate OAuth and return, handle it differently if (this.returnOnOAuth) { try { const config = this.serverConfig; - const { authorizationUrl, flowId, flowMetadata } = - await MCPOAuthHandler.initiateOAuthFlow( - this.serverName, - data.serverUrl || '', - this.userId!, - config?.oauth_headers ?? {}, - config?.oauth, + const flowId = MCPOAuthHandler.generateFlowId(this.userId!, this.serverName); + const existingFlow = await this.flowManager!.getFlowState(flowId, 'mcp_oauth'); + + if (existingFlow?.status === 'PENDING') { + logger.debug( + `${this.logPrefix} PENDING OAuth flow already exists, skipping new initiation`, ); + connection.emit('oauthFailed', new Error('OAuth flow initiated - return early')); + return; + } - // Delete any existing flow state to ensure we start fresh - // This prevents stale codeVerifier issues when re-authenticating - await this.flowManager!.deleteFlow(flowId, 'mcp_oauth'); + const { + authorizationUrl, + flowId: newFlowId, + flowMetadata, + } = await MCPOAuthHandler.initiateOAuthFlow( + this.serverName, + data.serverUrl || '', + this.userId!, + config?.oauth_headers ?? {}, + config?.oauth, + ); - // Create the flow state so the OAuth callback can find it - // We spawn this in the background without waiting for it - // Pass signal so the flow can be aborted if the request is cancelled - this.flowManager!.createFlow(flowId, 'mcp_oauth', flowMetadata, this.signal).catch(() => { - // The OAuth callback will resolve this flow, so we expect it to timeout here - // or it will be aborted if the request is cancelled - both are fine - }); + if (existingFlow) { + await this.flowManager!.deleteFlow(newFlowId, 'mcp_oauth'); + } + + this.flowManager!.createFlow(newFlowId, 'mcp_oauth', flowMetadata, this.signal).catch( + () => {}, + ); if (this.oauthStart) { logger.info(`${this.logPrefix} OAuth flow started, issuing authorization URL`); await this.oauthStart(authorizationUrl); } - // Emit oauthFailed to signal that connection should not proceed - // but OAuth was successfully initiated connection.emit('oauthFailed', new Error('OAuth flow initiated - return early')); return; } catch (error) { @@ -391,11 +398,9 @@ export class MCPConnectionFactory { logger.error(`${this.logPrefix} Failed to establish connection.`); } - // Handles connection attempts with retry logic and OAuth error handling private async connectTo(connection: MCPConnection): Promise { const maxAttempts = 3; let attempts = 0; - let oauthHandled = false; while (attempts < maxAttempts) { try { @@ -408,22 +413,6 @@ export class MCPConnectionFactory { attempts++; if (this.useOAuth && this.isOAuthError(error)) { - // For returnOnOAuth mode, let the event handler (handleOAuthEvents) deal with OAuth - // We just need to stop retrying and let the error propagate - if (this.returnOnOAuth) { - logger.info( - `${this.logPrefix} OAuth required (return on OAuth mode), stopping retries`, - ); - throw error; - } - - // Normal flow - wait for OAuth to complete - if (this.oauthStart && !oauthHandled) { - oauthHandled = true; - logger.info(`${this.logPrefix} Handling OAuth`); - await this.handleOAuthRequired(); - } - // Don't retry on OAuth errors - just throw logger.info(`${this.logPrefix} OAuth required, stopping connection attempts`); throw error; } @@ -499,26 +488,15 @@ export class MCPConnectionFactory { /** Check if there's already an ongoing OAuth flow for this flowId */ const existingFlow = await this.flowManager.getFlowState(flowId, 'mcp_oauth'); - // If any flow exists (PENDING, COMPLETED, FAILED), cancel it and start fresh - // This ensures the user always gets a new OAuth URL instead of waiting for stale flows if (existingFlow) { logger.debug( - `${this.logPrefix} Found existing OAuth flow (status: ${existingFlow.status}), cancelling to start fresh`, + `${this.logPrefix} Found existing OAuth flow (status: ${existingFlow.status}), cleaning up to start fresh`, ); try { - if (existingFlow.status === 'PENDING') { - await this.flowManager.failFlow( - flowId, - 'mcp_oauth', - new Error('Cancelled for new OAuth request'), - ); - } else { - await this.flowManager.deleteFlow(flowId, 'mcp_oauth'); - } + await this.flowManager.deleteFlow(flowId, 'mcp_oauth'); } catch (error) { - logger.warn(`${this.logPrefix} Failed to cancel existing OAuth flow`, error); + logger.warn(`${this.logPrefix} Failed to clean up existing OAuth flow`, error); } - // Continue to start a new flow below } logger.debug(`${this.logPrefix} Initiating new OAuth flow for ${this.serverName}...`); diff --git a/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts b/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts index 9f824bce23..263c84357a 100644 --- a/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts +++ b/packages/api/src/mcp/__tests__/MCPConnectionFactory.test.ts @@ -270,7 +270,54 @@ describe('MCPConnectionFactory', () => { ); }); - it('should delete existing flow before creating new OAuth flow to prevent stale codeVerifier', async () => { + it('should skip new OAuth flow initiation when a PENDING flow already exists (returnOnOAuth)', async () => { + const basicOptions = { + serverName: 'test-server', + serverConfig: mockServerConfig, + user: mockUser, + }; + + const oauthOptions: t.OAuthConnectionOptions = { + user: mockUser, + useOAuth: true, + returnOnOAuth: true, + oauthStart: jest.fn(), + flowManager: mockFlowManager, + }; + + mockFlowManager.getFlowState.mockResolvedValue({ + status: 'PENDING', + type: 'mcp_oauth', + metadata: { codeVerifier: 'existing-verifier' }, + createdAt: Date.now(), + }); + mockConnectionInstance.isConnected.mockResolvedValue(false); + + let oauthRequiredHandler: (data: Record) => Promise; + mockConnectionInstance.on.mockImplementation((event, handler) => { + if (event === 'oauthRequired') { + oauthRequiredHandler = handler as (data: Record) => Promise; + } + return mockConnectionInstance; + }); + + try { + await MCPConnectionFactory.create(basicOptions, oauthOptions); + } catch { + // Expected to fail + } + + await oauthRequiredHandler!({ serverUrl: 'https://api.example.com' }); + + expect(mockMCPOAuthHandler.initiateOAuthFlow).not.toHaveBeenCalled(); + expect(mockFlowManager.deleteFlow).not.toHaveBeenCalled(); + expect(mockConnectionInstance.emit).toHaveBeenCalledWith( + 'oauthFailed', + expect.objectContaining({ message: 'OAuth flow initiated - return early' }), + ); + }); + + it('should delete stale flow and create new OAuth flow when existing flow is COMPLETED', async () => { const basicOptions = { serverName: 'test-server', serverConfig: mockServerConfig, @@ -303,6 +350,12 @@ describe('MCPConnectionFactory', () => { }, }; + mockFlowManager.getFlowState.mockResolvedValue({ + status: 'COMPLETED', + type: 'mcp_oauth', + metadata: { codeVerifier: 'old-verifier' }, + createdAt: Date.now() - 60000, + }); mockMCPOAuthHandler.initiateOAuthFlow.mockResolvedValue(mockFlowData); mockFlowManager.deleteFlow.mockResolvedValue(true); mockFlowManager.createFlow.mockRejectedValue(new Error('Timeout expected')); @@ -319,21 +372,17 @@ describe('MCPConnectionFactory', () => { try { await MCPConnectionFactory.create(basicOptions, oauthOptions); } catch { - // Expected to fail due to connection not established + // Expected to fail } await oauthRequiredHandler!({ serverUrl: 'https://api.example.com' }); - // Verify deleteFlow was called with correct parameters expect(mockFlowManager.deleteFlow).toHaveBeenCalledWith('user123:test-server', 'mcp_oauth'); - // Verify deleteFlow was called before createFlow const deleteCallOrder = mockFlowManager.deleteFlow.mock.invocationCallOrder[0]; const createCallOrder = mockFlowManager.createFlow.mock.invocationCallOrder[0]; expect(deleteCallOrder).toBeLessThan(createCallOrder); - // Verify createFlow was called with fresh metadata - // 4th arg is the abort signal (undefined in this test since no signal was provided) expect(mockFlowManager.createFlow).toHaveBeenCalledWith( 'user123:test-server', 'mcp_oauth', diff --git a/packages/api/src/oauth/csrf.ts b/packages/api/src/oauth/csrf.ts new file mode 100644 index 0000000000..5bf0566b45 --- /dev/null +++ b/packages/api/src/oauth/csrf.ts @@ -0,0 +1,89 @@ +import crypto from 'crypto'; +import type { Request, Response, NextFunction } from 'express'; + +export const OAUTH_CSRF_COOKIE = 'oauth_csrf'; +export const OAUTH_CSRF_MAX_AGE = 10 * 60 * 1000; + +export const OAUTH_SESSION_COOKIE = 'oauth_session'; +export const OAUTH_SESSION_MAX_AGE = 24 * 60 * 60 * 1000; +export const OAUTH_SESSION_COOKIE_PATH = '/api'; + +const isProduction = process.env.NODE_ENV === 'production'; + +/** Generates an HMAC-based token for OAuth CSRF protection */ +export function generateOAuthCsrfToken(flowId: string, secret?: string): string { + const key = secret || process.env.JWT_SECRET; + if (!key) { + throw new Error('JWT_SECRET is required for OAuth CSRF token generation'); + } + return crypto.createHmac('sha256', key).update(flowId).digest('hex').slice(0, 32); +} + +/** Sets a SameSite=Lax CSRF cookie bound to a specific OAuth flow */ +export function setOAuthCsrfCookie(res: Response, flowId: string, cookiePath: string): void { + res.cookie(OAUTH_CSRF_COOKIE, generateOAuthCsrfToken(flowId), { + httpOnly: true, + secure: isProduction, + sameSite: 'lax', + maxAge: OAUTH_CSRF_MAX_AGE, + path: cookiePath, + }); +} + +/** + * Validates the per-flow CSRF cookie against the expected HMAC. + * Uses timing-safe comparison and always clears the cookie to prevent replay. + */ +export function validateOAuthCsrf( + req: Request, + res: Response, + flowId: string, + cookiePath: string, +): boolean { + const cookie = (req.cookies as Record | undefined)?.[OAUTH_CSRF_COOKIE]; + res.clearCookie(OAUTH_CSRF_COOKIE, { path: cookiePath }); + if (!cookie) { + return false; + } + const expected = generateOAuthCsrfToken(flowId); + if (cookie.length !== expected.length) { + return false; + } + return crypto.timingSafeEqual(Buffer.from(cookie), Buffer.from(expected)); +} + +/** + * Express middleware that sets the OAuth session cookie after JWT authentication. + * Chain after requireJwtAuth on routes that precede an OAuth redirect (e.g., reinitialize, bind). + */ +export function setOAuthSession(req: Request, res: Response, next: NextFunction): void { + const user = (req as Request & { user?: { id?: string } }).user; + if (user?.id && !(req.cookies as Record | undefined)?.[OAUTH_SESSION_COOKIE]) { + setOAuthSessionCookie(res, user.id); + } + next(); +} + +/** Sets a SameSite=Lax session cookie that binds the browser to the authenticated userId */ +export function setOAuthSessionCookie(res: Response, userId: string): void { + res.cookie(OAUTH_SESSION_COOKIE, generateOAuthCsrfToken(userId), { + httpOnly: true, + secure: isProduction, + sameSite: 'lax', + maxAge: OAUTH_SESSION_MAX_AGE, + path: OAUTH_SESSION_COOKIE_PATH, + }); +} + +/** Validates the session cookie against the expected userId using timing-safe comparison */ +export function validateOAuthSession(req: Request, userId: string): boolean { + const cookie = (req.cookies as Record | undefined)?.[OAUTH_SESSION_COOKIE]; + if (!cookie) { + return false; + } + const expected = generateOAuthCsrfToken(userId); + if (cookie.length !== expected.length) { + return false; + } + return crypto.timingSafeEqual(Buffer.from(cookie), Buffer.from(expected)); +} diff --git a/packages/api/src/oauth/index.ts b/packages/api/src/oauth/index.ts index e56053c166..01be92b6e3 100644 --- a/packages/api/src/oauth/index.ts +++ b/packages/api/src/oauth/index.ts @@ -1 +1,2 @@ +export * from './csrf'; export * from './tokens'; diff --git a/packages/data-provider/src/api-endpoints.ts b/packages/data-provider/src/api-endpoints.ts index d49535b094..db6df32015 100644 --- a/packages/data-provider/src/api-endpoints.ts +++ b/packages/data-provider/src/api-endpoints.ts @@ -181,6 +181,11 @@ export const cancelMCPOAuth = (serverName: string) => { return `${BASE_URL}/api/mcp/oauth/cancel/${serverName}`; }; +export const mcpOAuthBind = (serverName: string) => `${BASE_URL}/api/mcp/${serverName}/oauth/bind`; + +export const actionOAuthBind = (actionId: string) => + `${BASE_URL}/api/actions/${actionId}/oauth/bind`; + export const config = () => `${BASE_URL}/api/config`; export const prompts = () => `${BASE_URL}/api/prompts`; diff --git a/packages/data-provider/src/data-service.ts b/packages/data-provider/src/data-service.ts index 8919e2589b..be5cccd43b 100644 --- a/packages/data-provider/src/data-service.ts +++ b/packages/data-provider/src/data-service.ts @@ -178,6 +178,14 @@ export const reinitializeMCPServer = (serverName: string) => { return request.post(endpoints.mcpReinitialize(serverName)); }; +export const bindMCPOAuth = (serverName: string): Promise<{ success: boolean }> => { + return request.post(endpoints.mcpOAuthBind(serverName)); +}; + +export const bindActionOAuth = (actionId: string): Promise<{ success: boolean }> => { + return request.post(endpoints.actionOAuthBind(actionId)); +}; + export const getMCPConnectionStatus = (): Promise => { return request.get(endpoints.mcpConnectionStatus()); }; From 7067c35787ecfa0d110cb1d4a667acc6109986a1 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 12 Feb 2026 15:42:22 -0500 Subject: [PATCH 13/55] =?UTF-8?q?=F0=9F=8F=81=20fix:=20Resolve=20Content?= =?UTF-8?q?=20Aggregation=20Race=20Condition=20in=20Agent=20Event=20Handle?= =?UTF-8?q?rs=20(#11757)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 refactor: Consolidate aggregateContent calls in agent handlers - Moved aggregateContent function calls to the beginning of the event handling functions in the agent callbacks to ensure consistent data aggregation before processing events. This change improves code clarity and maintains the intended functionality without redundancy. * 🔧 chore: Update @librechat/agents to version 3.1.40 in package.json and package-lock.json across multiple packages * 🔧 fix: Increase default recursion limit in AgentClient from 25 to 50 for improved processing capability --- api/package.json | 2 +- api/server/controllers/agents/callbacks.js | 10 +++++----- api/server/controllers/agents/client.js | 2 +- package-lock.json | 10 +++++----- packages/api/package.json | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/api/package.json b/api/package.json index 0e0099ef06..4e3f882a91 100644 --- a/api/package.json +++ b/api/package.json @@ -44,7 +44,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.39", + "@librechat/agents": "^3.1.40", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", diff --git a/api/server/controllers/agents/callbacks.js b/api/server/controllers/agents/callbacks.js index 867e7f53af..163fc4ebba 100644 --- a/api/server/controllers/agents/callbacks.js +++ b/api/server/controllers/agents/callbacks.js @@ -209,6 +209,7 @@ function getDefaultHandlers({ * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata. */ handle: async (event, data, metadata) => { + aggregateContent({ event, data }); if (data?.stepDetails.type === StepTypes.TOOL_CALLS) { await emitEvent(res, streamId, { event, data }); } else if (checkIfLastAgent(metadata?.last_agent_id, metadata?.langgraph_node)) { @@ -227,7 +228,6 @@ function getDefaultHandlers({ }, }); } - aggregateContent({ event, data }); }, }, [GraphEvents.ON_RUN_STEP_DELTA]: { @@ -238,6 +238,7 @@ function getDefaultHandlers({ * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata. */ handle: async (event, data, metadata) => { + aggregateContent({ event, data }); if (data?.delta.type === StepTypes.TOOL_CALLS) { await emitEvent(res, streamId, { event, data }); } else if (checkIfLastAgent(metadata?.last_agent_id, metadata?.langgraph_node)) { @@ -245,7 +246,6 @@ function getDefaultHandlers({ } else if (!metadata?.hide_sequential_outputs) { await emitEvent(res, streamId, { event, data }); } - aggregateContent({ event, data }); }, }, [GraphEvents.ON_RUN_STEP_COMPLETED]: { @@ -256,6 +256,7 @@ function getDefaultHandlers({ * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata. */ handle: async (event, data, metadata) => { + aggregateContent({ event, data }); if (data?.result != null) { await emitEvent(res, streamId, { event, data }); } else if (checkIfLastAgent(metadata?.last_agent_id, metadata?.langgraph_node)) { @@ -263,7 +264,6 @@ function getDefaultHandlers({ } else if (!metadata?.hide_sequential_outputs) { await emitEvent(res, streamId, { event, data }); } - aggregateContent({ event, data }); }, }, [GraphEvents.ON_MESSAGE_DELTA]: { @@ -274,12 +274,12 @@ function getDefaultHandlers({ * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata. */ handle: async (event, data, metadata) => { + aggregateContent({ event, data }); if (checkIfLastAgent(metadata?.last_agent_id, metadata?.langgraph_node)) { await emitEvent(res, streamId, { event, data }); } else if (!metadata?.hide_sequential_outputs) { await emitEvent(res, streamId, { event, data }); } - aggregateContent({ event, data }); }, }, [GraphEvents.ON_REASONING_DELTA]: { @@ -290,12 +290,12 @@ function getDefaultHandlers({ * @param {GraphRunnableConfig['configurable']} [metadata] The runnable metadata. */ handle: async (event, data, metadata) => { + aggregateContent({ event, data }); if (checkIfLastAgent(metadata?.last_agent_id, metadata?.langgraph_node)) { await emitEvent(res, streamId, { event, data }); } else if (!metadata?.hide_sequential_outputs) { await emitEvent(res, streamId, { event, data }); } - aggregateContent({ event, data }); }, }, }; diff --git a/api/server/controllers/agents/client.js b/api/server/controllers/agents/client.js index c7aadc6d87..8edbd28122 100644 --- a/api/server/controllers/agents/client.js +++ b/api/server/controllers/agents/client.js @@ -969,7 +969,7 @@ class AgentClient extends BaseClient { }, user: createSafeUser(this.options.req.user), }, - recursionLimit: agentsEConfig?.recursionLimit ?? 25, + recursionLimit: agentsEConfig?.recursionLimit ?? 50, signal: abortController.signal, streamMode: 'values', version: 'v2', diff --git a/package-lock.json b/package-lock.json index 249ad9e0d6..b2a8eb9930 100644 --- a/package-lock.json +++ b/package-lock.json @@ -58,7 +58,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.39", + "@librechat/agents": "^3.1.40", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", @@ -11207,9 +11207,9 @@ } }, "node_modules/@librechat/agents": { - "version": "3.1.39", - "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.39.tgz", - "integrity": "sha512-HsMOkAKap6O0w4rpr/YdZIrRXBo8tEIM9iO8Z/6txeQUHyRsrdBFo7Kdu+t0leUOq+3NysnD8BRQpcfXKfMF3Q==", + "version": "3.1.40", + "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.40.tgz", + "integrity": "sha512-L7caKWIQ7z/lMgASc7MscnH7oqVG0pYTuU4nn6GEr8QIG+oH2ow+q1+xXDJADHS84Zysj93i/tIeuEZrBYrabA==", "license": "MIT", "dependencies": { "@anthropic-ai/sdk": "^0.73.0", @@ -42102,7 +42102,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.39", + "@librechat/agents": "^3.1.40", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", diff --git a/packages/api/package.json b/packages/api/package.json index b9d233e2ea..037e1949d8 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -87,7 +87,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.39", + "@librechat/agents": "^3.1.40", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", From e3a60ba5326f2668a16ad89361976565f8b17e3d Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 12 Feb 2026 17:43:43 -0500 Subject: [PATCH 14/55] =?UTF-8?q?=F0=9F=93=A6=20chore:=20@librechat/agents?= =?UTF-8?q?=20to=20v3.1.41=20(#11759)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/package.json | 2 +- package-lock.json | 12 ++++++------ packages/api/package.json | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/api/package.json b/api/package.json index 4e3f882a91..05755c6020 100644 --- a/api/package.json +++ b/api/package.json @@ -44,7 +44,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.40", + "@librechat/agents": "^3.1.41", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", diff --git a/package-lock.json b/package-lock.json index b2a8eb9930..29c38184e2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -58,7 +58,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.40", + "@librechat/agents": "^3.1.41", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", @@ -11207,9 +11207,9 @@ } }, "node_modules/@librechat/agents": { - "version": "3.1.40", - "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.40.tgz", - "integrity": "sha512-L7caKWIQ7z/lMgASc7MscnH7oqVG0pYTuU4nn6GEr8QIG+oH2ow+q1+xXDJADHS84Zysj93i/tIeuEZrBYrabA==", + "version": "3.1.41", + "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.41.tgz", + "integrity": "sha512-djdJOGv8GxiI3vRyJZ5MoN8Gy3ZzfSTPOuWtqXLO0MzUkyQB32FqiM3YmtAjBbHLu0CSoOgkE8VVubQsOZauWQ==", "license": "MIT", "dependencies": { "@anthropic-ai/sdk": "^0.73.0", @@ -11229,7 +11229,7 @@ "@langfuse/otel": "^4.3.0", "@langfuse/tracing": "^4.3.0", "@opentelemetry/sdk-node": "^0.207.0", - "axios": "^1.12.1", + "axios": "^1.13.5", "cheerio": "^1.0.0", "dotenv": "^16.4.7", "https-proxy-agent": "^7.0.6", @@ -42102,7 +42102,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.40", + "@librechat/agents": "^3.1.41", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", diff --git a/packages/api/package.json b/packages/api/package.json index 037e1949d8..cc0b67d0ee 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -87,7 +87,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.40", + "@librechat/agents": "^3.1.41", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", From 793ddbce9f662786fdb6dc69b193cb546f889a7b Mon Sep 17 00:00:00 2001 From: Andrei Blizorukov <55080535+ablizorukov@users.noreply.github.com> Date: Fri, 13 Feb 2026 00:05:53 +0100 Subject: [PATCH 15/55] =?UTF-8?q?=F0=9F=94=8E=20fix:=20Include=20Legacy=20?= =?UTF-8?q?Documents=20With=20Undefined=20`=5FmeiliIndex`=20in=20Search=20?= =?UTF-8?q?Sync=20(#11745)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: document with undefined _meiliIndex not synced missing property _meiliIndex is not being synced into meilisearch * fix: updated comments to reflect changes to fix_meiliSearch property usage --- api/db/utils.js | 2 +- api/db/utils.spec.js | 10 +- .../src/models/plugins/mongoMeili.spec.ts | 235 ++++++++++++++++++ .../src/models/plugins/mongoMeili.ts | 6 +- 4 files changed, 245 insertions(+), 8 deletions(-) diff --git a/api/db/utils.js b/api/db/utils.js index 4a311d9832..32051be78d 100644 --- a/api/db/utils.js +++ b/api/db/utils.js @@ -26,7 +26,7 @@ async function batchResetMeiliFlags(collection) { try { while (hasMore) { const docs = await collection - .find({ expiredAt: null, _meiliIndex: true }, { projection: { _id: 1 } }) + .find({ expiredAt: null, _meiliIndex: { $ne: false } }, { projection: { _id: 1 } }) .limit(BATCH_SIZE) .toArray(); diff --git a/api/db/utils.spec.js b/api/db/utils.spec.js index 8b32b4aea8..adf4f6cd86 100644 --- a/api/db/utils.spec.js +++ b/api/db/utils.spec.js @@ -265,8 +265,8 @@ describe('batchResetMeiliFlags', () => { const result = await batchResetMeiliFlags(testCollection); - // Only one document has _meiliIndex: true - expect(result).toBe(1); + // both documents should be updated + expect(result).toBe(2); }); it('should handle mixed document states correctly', async () => { @@ -275,16 +275,18 @@ describe('batchResetMeiliFlags', () => { { _id: new mongoose.Types.ObjectId(), expiredAt: null, _meiliIndex: false }, { _id: new mongoose.Types.ObjectId(), expiredAt: new Date(), _meiliIndex: true }, { _id: new mongoose.Types.ObjectId(), expiredAt: null, _meiliIndex: true }, + { _id: new mongoose.Types.ObjectId(), expiredAt: null, _meiliIndex: null }, + { _id: new mongoose.Types.ObjectId(), expiredAt: null }, ]); const result = await batchResetMeiliFlags(testCollection); - expect(result).toBe(2); + expect(result).toBe(4); const flaggedDocs = await testCollection .find({ expiredAt: null, _meiliIndex: false }) .toArray(); - expect(flaggedDocs).toHaveLength(3); // 2 were updated, 1 was already false + expect(flaggedDocs).toHaveLength(5); // 4 were updated, 1 was already false }); }); diff --git a/packages/data-schemas/src/models/plugins/mongoMeili.spec.ts b/packages/data-schemas/src/models/plugins/mongoMeili.spec.ts index a289b88fe0..d988624d13 100644 --- a/packages/data-schemas/src/models/plugins/mongoMeili.spec.ts +++ b/packages/data-schemas/src/models/plugins/mongoMeili.spec.ts @@ -1015,4 +1015,239 @@ describe('Meilisearch Mongoose plugin', () => { ]); }); }); + + describe('Missing _meiliIndex property handling in sync process', () => { + test('syncWithMeili includes documents with missing _meiliIndex', async () => { + const conversationModel = createConversationModel(mongoose) as SchemaWithMeiliMethods; + await conversationModel.deleteMany({}); + mockAddDocumentsInBatches.mockClear(); + + // Insert documents with different _meiliIndex states + await conversationModel.collection.insertMany([ + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'Missing _meiliIndex', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + // _meiliIndex is not set (missing/undefined) + }, + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'Explicit false', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + _meiliIndex: false, + }, + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'Already indexed', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + _meiliIndex: true, + }, + ]); + + // Run sync + await conversationModel.syncWithMeili(); + + // Should have processed 2 documents (missing and false, but not true) + expect(mockAddDocumentsInBatches).toHaveBeenCalled(); + + // Check that both documents without _meiliIndex=true are now indexed + const indexedCount = await conversationModel.countDocuments({ + expiredAt: null, + _meiliIndex: true, + }); + expect(indexedCount).toBe(3); // All 3 should now be indexed + + // Verify documents with missing _meiliIndex were updated + const docsWithMissingIndex = await conversationModel.countDocuments({ + expiredAt: null, + title: 'Missing _meiliIndex', + _meiliIndex: true, + }); + expect(docsWithMissingIndex).toBe(1); + }); + + test('getSyncProgress counts documents with missing _meiliIndex as not indexed', async () => { + const messageModel = createMessageModel(mongoose) as SchemaWithMeiliMethods; + await messageModel.deleteMany({}); + + // Insert documents with different _meiliIndex states + await messageModel.collection.insertMany([ + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + _meiliIndex: true, + }, + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + _meiliIndex: false, + }, + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + // _meiliIndex is missing + }, + ]); + + const progress = await messageModel.getSyncProgress(); + + // Total should be 3 + expect(progress.totalDocuments).toBe(3); + // Only 1 is indexed (with _meiliIndex: true) + expect(progress.totalProcessed).toBe(1); + // Not complete since 2 documents are not indexed + expect(progress.isComplete).toBe(false); + }); + + test('query with _meiliIndex: { $ne: true } includes missing values', async () => { + const conversationModel = createConversationModel(mongoose) as SchemaWithMeiliMethods; + await conversationModel.deleteMany({}); + + // Insert documents with different _meiliIndex states + await conversationModel.collection.insertMany([ + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'Missing', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + // _meiliIndex is missing + }, + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'False', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + _meiliIndex: false, + }, + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'True', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + _meiliIndex: true, + }, + ]); + + // Query for documents where _meiliIndex is not true (used in syncWithMeili) + const unindexedDocs = await conversationModel.find({ + expiredAt: null, + _meiliIndex: { $ne: true }, + }); + + // Should find 2 documents (missing and false, but not true) + expect(unindexedDocs.length).toBe(2); + const titles = unindexedDocs.map((doc) => doc.title).sort(); + expect(titles).toEqual(['False', 'Missing']); + }); + + test('syncWithMeili processes all documents where _meiliIndex is not true', async () => { + const messageModel = createMessageModel(mongoose) as SchemaWithMeiliMethods; + await messageModel.deleteMany({}); + mockAddDocumentsInBatches.mockClear(); + + // Create a mix of documents with missing and false _meiliIndex + await messageModel.collection.insertMany([ + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + // _meiliIndex missing + }, + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + _meiliIndex: false, + }, + { + messageId: new mongoose.Types.ObjectId(), + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + isCreatedByUser: true, + expiredAt: null, + // _meiliIndex missing + }, + ]); + + // Count documents that should be synced (where _meiliIndex: { $ne: true }) + const toSyncCount = await messageModel.countDocuments({ + expiredAt: null, + _meiliIndex: { $ne: true }, + }); + expect(toSyncCount).toBe(3); // All 3 should be synced + + await messageModel.syncWithMeili(); + + // All should now be indexed + const indexedCount = await messageModel.countDocuments({ + expiredAt: null, + _meiliIndex: true, + }); + expect(indexedCount).toBe(3); + }); + + test('syncWithMeili treats missing _meiliIndex same as false', async () => { + const conversationModel = createConversationModel(mongoose) as SchemaWithMeiliMethods; + await conversationModel.deleteMany({}); + mockAddDocumentsInBatches.mockClear(); + + // Insert one document with missing _meiliIndex and one with false + await conversationModel.collection.insertMany([ + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'Missing', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + // _meiliIndex is missing + }, + { + conversationId: new mongoose.Types.ObjectId(), + user: new mongoose.Types.ObjectId(), + title: 'False', + endpoint: EModelEndpoint.openAI, + expiredAt: null, + _meiliIndex: false, + }, + ]); + + // Both should be picked up by the sync query + const toSync = await conversationModel.find({ + expiredAt: null, + _meiliIndex: { $ne: true }, + }); + expect(toSync.length).toBe(2); + + await conversationModel.syncWithMeili(); + + // Both should be indexed after sync + const afterSync = await conversationModel.find({ + expiredAt: null, + _meiliIndex: true, + }); + expect(afterSync.length).toBe(2); + }); + }); }); diff --git a/packages/data-schemas/src/models/plugins/mongoMeili.ts b/packages/data-schemas/src/models/plugins/mongoMeili.ts index 92fc5f328c..1cbe0d8761 100644 --- a/packages/data-schemas/src/models/plugins/mongoMeili.ts +++ b/packages/data-schemas/src/models/plugins/mongoMeili.ts @@ -162,8 +162,8 @@ const createMeiliMongooseModel = ({ /** * Synchronizes data between the MongoDB collection and the MeiliSearch index by - * incrementally indexing only documents where `expiredAt` is `null` and `_meiliIndex` is `false` - * (i.e., non-expired documents that have not yet been indexed). + * incrementally indexing only documents where `expiredAt` is `null` and `_meiliIndex` is not `true` + * (i.e., non-expired documents that have not yet been indexed, including those with missing or null `_meiliIndex`). * */ static async syncWithMeili(this: SchemaWithMeiliMethods): Promise { const startTime = Date.now(); @@ -196,7 +196,7 @@ const createMeiliMongooseModel = ({ while (hasMore) { const query: FilterQuery = { expiredAt: null, - _meiliIndex: false, + _meiliIndex: { $ne: true }, }; try { From b8c31e73146673173ff3a337cb67a22af1d76fe9 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 12 Feb 2026 18:08:24 -0500 Subject: [PATCH 16/55] =?UTF-8?q?=F0=9F=94=B1=20chore:=20Harden=20API=20Ro?= =?UTF-8?q?utes=20Against=20IDOR=20and=20DoS=20Attacks=20(#11760)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 feat: Update user key handling in keys route and add comprehensive tests - Enhanced the PUT /api/keys route to destructure request body for better clarity and maintainability. - Introduced a new test suite for keys route, covering key update, deletion, and retrieval functionalities, ensuring robust validation and IDOR prevention. - Added tests to verify handling of extraneous fields and missing optional parameters in requests. * 🔧 fix: Enhance conversation deletion route with parameter validation - Updated the DELETE /api/convos route to handle cases where the request body is empty or the 'arg' parameter is null/undefined, returning a 400 status with an appropriate error message for DoS prevention. - Added corresponding tests to ensure proper validation and error handling for these scenarios, enhancing the robustness of the API. * 🔧 fix: Improve request body validation in keys and convos routes - Updated the DELETE /api/convos and PUT /api/keys routes to validate the request body, returning a 400 status for null or invalid bodies to enhance security and prevent potential DoS attacks. - Added corresponding tests to ensure proper error handling for these scenarios, improving the robustness of the API. --- api/server/routes/__tests__/convos.spec.js | 34 ++++ api/server/routes/__tests__/keys.spec.js | 174 +++++++++++++++++++++ api/server/routes/convos.js | 6 +- api/server/routes/keys.js | 6 +- 4 files changed, 216 insertions(+), 4 deletions(-) create mode 100644 api/server/routes/__tests__/keys.spec.js diff --git a/api/server/routes/__tests__/convos.spec.js b/api/server/routes/__tests__/convos.spec.js index ef11b3cbbb..931ef006d0 100644 --- a/api/server/routes/__tests__/convos.spec.js +++ b/api/server/routes/__tests__/convos.spec.js @@ -385,6 +385,40 @@ describe('Convos Routes', () => { expect(deleteConvoSharedLink).not.toHaveBeenCalled(); }); + it('should return 400 when request body is empty (DoS prevention)', async () => { + const response = await request(app).delete('/api/convos').send({}); + + expect(response.status).toBe(400); + expect(response.body).toEqual({ error: 'no parameters provided' }); + expect(deleteConvos).not.toHaveBeenCalled(); + }); + + it('should return 400 when arg is null (DoS prevention)', async () => { + const response = await request(app).delete('/api/convos').send({ arg: null }); + + expect(response.status).toBe(400); + expect(response.body).toEqual({ error: 'no parameters provided' }); + expect(deleteConvos).not.toHaveBeenCalled(); + }); + + it('should return 400 when arg is undefined (DoS prevention)', async () => { + const response = await request(app).delete('/api/convos').send({ arg: undefined }); + + expect(response.status).toBe(400); + expect(response.body).toEqual({ error: 'no parameters provided' }); + expect(deleteConvos).not.toHaveBeenCalled(); + }); + + it('should return 400 when request body is null (DoS prevention)', async () => { + const response = await request(app) + .delete('/api/convos') + .set('Content-Type', 'application/json') + .send('null'); + + expect(response.status).toBe(400); + expect(deleteConvos).not.toHaveBeenCalled(); + }); + it('should return 500 if deleteConvoSharedLink fails', async () => { const mockConversationId = 'conv-error'; diff --git a/api/server/routes/__tests__/keys.spec.js b/api/server/routes/__tests__/keys.spec.js new file mode 100644 index 0000000000..0c96dd3bcb --- /dev/null +++ b/api/server/routes/__tests__/keys.spec.js @@ -0,0 +1,174 @@ +const express = require('express'); +const request = require('supertest'); + +jest.mock('~/models', () => ({ + updateUserKey: jest.fn(), + deleteUserKey: jest.fn(), + getUserKeyExpiry: jest.fn(), +})); + +jest.mock('~/server/middleware/requireJwtAuth', () => (req, res, next) => next()); + +jest.mock('~/server/middleware', () => ({ + requireJwtAuth: (req, res, next) => next(), +})); + +describe('Keys Routes', () => { + let app; + const { updateUserKey, deleteUserKey, getUserKeyExpiry } = require('~/models'); + + beforeAll(() => { + const keysRouter = require('../keys'); + + app = express(); + app.use(express.json()); + + app.use((req, res, next) => { + req.user = { id: 'test-user-123' }; + next(); + }); + + app.use('/api/keys', keysRouter); + }); + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('PUT /', () => { + it('should update a user key with the authenticated user ID', async () => { + updateUserKey.mockResolvedValue({}); + + const response = await request(app) + .put('/api/keys') + .send({ name: 'openAI', value: 'sk-test-key-123', expiresAt: '2026-12-31' }); + + expect(response.status).toBe(201); + expect(updateUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'openAI', + value: 'sk-test-key-123', + expiresAt: '2026-12-31', + }); + expect(updateUserKey).toHaveBeenCalledTimes(1); + }); + + it('should not allow userId override via request body (IDOR prevention)', async () => { + updateUserKey.mockResolvedValue({}); + + const response = await request(app).put('/api/keys').send({ + userId: 'attacker-injected-id', + name: 'openAI', + value: 'sk-attacker-key', + }); + + expect(response.status).toBe(201); + expect(updateUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'openAI', + value: 'sk-attacker-key', + expiresAt: undefined, + }); + }); + + it('should ignore extraneous fields from request body', async () => { + updateUserKey.mockResolvedValue({}); + + const response = await request(app).put('/api/keys').send({ + name: 'openAI', + value: 'sk-test-key', + expiresAt: '2026-12-31', + _id: 'injected-mongo-id', + __v: 99, + extra: 'should-be-ignored', + }); + + expect(response.status).toBe(201); + expect(updateUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'openAI', + value: 'sk-test-key', + expiresAt: '2026-12-31', + }); + }); + + it('should handle missing optional fields', async () => { + updateUserKey.mockResolvedValue({}); + + const response = await request(app) + .put('/api/keys') + .send({ name: 'anthropic', value: 'sk-ant-key' }); + + expect(response.status).toBe(201); + expect(updateUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'anthropic', + value: 'sk-ant-key', + expiresAt: undefined, + }); + }); + + it('should return 400 when request body is null', async () => { + const response = await request(app) + .put('/api/keys') + .set('Content-Type', 'application/json') + .send('null'); + + expect(response.status).toBe(400); + expect(updateUserKey).not.toHaveBeenCalled(); + }); + }); + + describe('DELETE /:name', () => { + it('should delete a user key by name', async () => { + deleteUserKey.mockResolvedValue({}); + + const response = await request(app).delete('/api/keys/openAI'); + + expect(response.status).toBe(204); + expect(deleteUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'openAI', + }); + expect(deleteUserKey).toHaveBeenCalledTimes(1); + }); + }); + + describe('DELETE /', () => { + it('should delete all keys when all=true', async () => { + deleteUserKey.mockResolvedValue({}); + + const response = await request(app).delete('/api/keys?all=true'); + + expect(response.status).toBe(204); + expect(deleteUserKey).toHaveBeenCalledWith({ + userId: 'test-user-123', + all: true, + }); + }); + + it('should return 400 when all query param is not true', async () => { + const response = await request(app).delete('/api/keys'); + + expect(response.status).toBe(400); + expect(response.body).toEqual({ error: 'Specify either all=true to delete.' }); + expect(deleteUserKey).not.toHaveBeenCalled(); + }); + }); + + describe('GET /', () => { + it('should return key expiry for a given key name', async () => { + const mockExpiry = { expiresAt: '2026-12-31' }; + getUserKeyExpiry.mockResolvedValue(mockExpiry); + + const response = await request(app).get('/api/keys?name=openAI'); + + expect(response.status).toBe(200); + expect(response.body).toEqual(mockExpiry); + expect(getUserKeyExpiry).toHaveBeenCalledWith({ + userId: 'test-user-123', + name: 'openAI', + }); + }); + }); +}); diff --git a/api/server/routes/convos.js b/api/server/routes/convos.js index 75b3656f59..bb9c4ebea9 100644 --- a/api/server/routes/convos.js +++ b/api/server/routes/convos.js @@ -98,7 +98,7 @@ router.get('/gen_title/:conversationId', async (req, res) => { router.delete('/', async (req, res) => { let filter = {}; - const { conversationId, source, thread_id, endpoint } = req.body.arg; + const { conversationId, source, thread_id, endpoint } = req.body?.arg ?? {}; // Prevent deletion of all conversations if (!conversationId && !source && !thread_id && !endpoint) { @@ -160,7 +160,7 @@ router.delete('/all', async (req, res) => { * @returns {object} 200 - The updated conversation object. */ router.post('/archive', validateConvoAccess, async (req, res) => { - const { conversationId, isArchived } = req.body.arg ?? {}; + const { conversationId, isArchived } = req.body?.arg ?? {}; if (!conversationId) { return res.status(400).json({ error: 'conversationId is required' }); @@ -194,7 +194,7 @@ const MAX_CONVO_TITLE_LENGTH = 1024; * @returns {object} 201 - The updated conversation object. */ router.post('/update', validateConvoAccess, async (req, res) => { - const { conversationId, title } = req.body.arg ?? {}; + const { conversationId, title } = req.body?.arg ?? {}; if (!conversationId) { return res.status(400).json({ error: 'conversationId is required' }); diff --git a/api/server/routes/keys.js b/api/server/routes/keys.js index 620e4d234b..dfd68f69c4 100644 --- a/api/server/routes/keys.js +++ b/api/server/routes/keys.js @@ -5,7 +5,11 @@ const { requireJwtAuth } = require('~/server/middleware'); const router = express.Router(); router.put('/', requireJwtAuth, async (req, res) => { - await updateUserKey({ userId: req.user.id, ...req.body }); + if (req.body == null || typeof req.body !== 'object') { + return res.status(400).send({ error: 'Invalid request body.' }); + } + const { name, value, expiresAt } = req.body; + await updateUserKey({ userId: req.user.id, name, value, expiresAt }); res.status(201).send(); }); From e142ab72da7ca53327543fcf2cc30461262f5e28 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 12 Feb 2026 18:47:57 -0500 Subject: [PATCH 17/55] =?UTF-8?q?=F0=9F=94=92=20fix:=20Prevent=20Race=20Co?= =?UTF-8?q?ndition=20in=20RedisJobStore=20(#11764)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 fix: Optimize job update logic in RedisJobStore - Refactored the updateJob method to use a Lua script for atomic updates, ensuring that jobs are only updated if they exist in Redis. - Removed redundant existence check and streamlined the serialization process for better performance and clarity. * 🔧 test: Add race condition tests for RedisJobStore - Introduced tests to verify behavior of updateJob after deleteJob, ensuring no job hash is recreated post-deletion. - Added checks for orphan keys when concurrent deleteJob and updateJob operations occur, enhancing reliability in job management. * 🔧 test: Refactor Redis client readiness checks in violationCache tests - Introduced a new helper function `waitForRedisClients` to streamline the readiness checks for Redis clients in the violationCache integration tests. - Removed redundant Redis client readiness checks from individual test cases, improving code clarity and maintainability. * 🔧 fix: Update RedisJobStore to use hset instead of hmset - Replaced instances of `hmset` with `hset` in the RedisJobStore implementation to align with the latest Redis command updates. - Updated Lua script in the eval method to reflect the change, ensuring consistent job handling in both cluster and non-cluster modes. --- .../violationCache.cache_integration.spec.ts | 58 +++++++----------- .../RedisJobStore.stream_integration.spec.ts | 61 +++++++++++++++++++ .../stream/implementations/RedisJobStore.ts | 20 +++--- 3 files changed, 96 insertions(+), 43 deletions(-) diff --git a/packages/api/src/cache/__tests__/cacheFactory/violationCache.cache_integration.spec.ts b/packages/api/src/cache/__tests__/cacheFactory/violationCache.cache_integration.spec.ts index 989008e82e..1978620c24 100644 --- a/packages/api/src/cache/__tests__/cacheFactory/violationCache.cache_integration.spec.ts +++ b/packages/api/src/cache/__tests__/cacheFactory/violationCache.cache_integration.spec.ts @@ -20,6 +20,24 @@ interface ViolationData { }; } +/** Waits for both Redis clients (ioredis + keyv/node-redis) to be ready */ +async function waitForRedisClients() { + const redisClients = await import('../../redisClients'); + const { ioredisClient, keyvRedisClientReady } = redisClients; + + if (ioredisClient && ioredisClient.status !== 'ready') { + await new Promise((resolve) => { + ioredisClient.once('ready', resolve); + }); + } + + if (keyvRedisClientReady) { + await keyvRedisClientReady; + } + + return redisClients; +} + describe('violationCache', () => { let originalEnv: NodeJS.ProcessEnv; @@ -45,17 +63,9 @@ describe('violationCache', () => { test('should create violation cache with Redis when USE_REDIS is true', async () => { const cacheFactory = await import('../../cacheFactory'); - const redisClients = await import('../../redisClients'); - const { ioredisClient } = redisClients; + await waitForRedisClients(); const cache = cacheFactory.violationCache('test-violations', 60000); // 60 second TTL - // Wait for Redis connection to be ready - if (ioredisClient && ioredisClient.status !== 'ready') { - await new Promise((resolve) => { - ioredisClient.once('ready', resolve); - }); - } - // Verify it returns a Keyv instance expect(cache).toBeDefined(); expect(cache.constructor.name).toBe('Keyv'); @@ -112,18 +122,10 @@ describe('violationCache', () => { test('should respect namespace prefixing', async () => { const cacheFactory = await import('../../cacheFactory'); - const redisClients = await import('../../redisClients'); - const { ioredisClient } = redisClients; + await waitForRedisClients(); const cache1 = cacheFactory.violationCache('namespace1'); const cache2 = cacheFactory.violationCache('namespace2'); - // Wait for Redis connection to be ready - if (ioredisClient && ioredisClient.status !== 'ready') { - await new Promise((resolve) => { - ioredisClient.once('ready', resolve); - }); - } - const testKey = 'shared-key'; const value1: ViolationData = { namespace: 1 }; const value2: ViolationData = { namespace: 2 }; @@ -146,18 +148,10 @@ describe('violationCache', () => { test('should respect TTL settings', async () => { const cacheFactory = await import('../../cacheFactory'); - const redisClients = await import('../../redisClients'); - const { ioredisClient } = redisClients; + await waitForRedisClients(); const ttl = 1000; // 1 second TTL const cache = cacheFactory.violationCache('ttl-test', ttl); - // Wait for Redis connection to be ready - if (ioredisClient && ioredisClient.status !== 'ready') { - await new Promise((resolve) => { - ioredisClient.once('ready', resolve); - }); - } - const testKey = 'ttl-key'; const testValue: ViolationData = { data: 'expires soon' }; @@ -178,17 +172,9 @@ describe('violationCache', () => { test('should handle complex violation data structures', async () => { const cacheFactory = await import('../../cacheFactory'); - const redisClients = await import('../../redisClients'); - const { ioredisClient } = redisClients; + await waitForRedisClients(); const cache = cacheFactory.violationCache('complex-violations'); - // Wait for Redis connection to be ready - if (ioredisClient && ioredisClient.status !== 'ready') { - await new Promise((resolve) => { - ioredisClient.once('ready', resolve); - }); - } - const complexData: ViolationData = { userId: 'user123', violations: [ diff --git a/packages/api/src/stream/__tests__/RedisJobStore.stream_integration.spec.ts b/packages/api/src/stream/__tests__/RedisJobStore.stream_integration.spec.ts index 89c6f9e92e..d00321a77d 100644 --- a/packages/api/src/stream/__tests__/RedisJobStore.stream_integration.spec.ts +++ b/packages/api/src/stream/__tests__/RedisJobStore.stream_integration.spec.ts @@ -880,6 +880,67 @@ describe('RedisJobStore Integration Tests', () => { }); }); + describe('Race Condition: updateJob after deleteJob', () => { + test('should not re-create job hash when updateJob runs after deleteJob', async () => { + if (!ioredisClient) { + return; + } + + const { RedisJobStore } = await import('../implementations/RedisJobStore'); + const store = new RedisJobStore(ioredisClient); + await store.initialize(); + + const streamId = `race-condition-${Date.now()}`; + await store.createJob(streamId, 'user-1', streamId); + + const jobKey = `stream:{${streamId}}:job`; + const ttlBefore = await ioredisClient.ttl(jobKey); + expect(ttlBefore).toBeGreaterThan(0); + + await store.deleteJob(streamId); + + const afterDelete = await ioredisClient.exists(jobKey); + expect(afterDelete).toBe(0); + + await store.updateJob(streamId, { finalEvent: JSON.stringify({ final: true }) }); + + const afterUpdate = await ioredisClient.exists(jobKey); + expect(afterUpdate).toBe(0); + + await store.destroy(); + }); + + test('should not leave orphan keys from concurrent emitDone and deleteJob', async () => { + if (!ioredisClient) { + return; + } + + const { RedisJobStore } = await import('../implementations/RedisJobStore'); + const store = new RedisJobStore(ioredisClient); + await store.initialize(); + + const streamId = `concurrent-race-${Date.now()}`; + await store.createJob(streamId, 'user-1', streamId); + + const jobKey = `stream:{${streamId}}:job`; + + await Promise.all([ + store.updateJob(streamId, { finalEvent: JSON.stringify({ final: true }) }), + store.deleteJob(streamId), + ]); + + await new Promise((resolve) => setTimeout(resolve, 100)); + + const exists = await ioredisClient.exists(jobKey); + const ttl = exists ? await ioredisClient.ttl(jobKey) : -2; + + expect(ttl === -2 || ttl > 0).toBe(true); + expect(ttl).not.toBe(-1); + + await store.destroy(); + }); + }); + describe('Local Graph Cache Optimization', () => { test('should use local cache when available', async () => { if (!ioredisClient) { diff --git a/packages/api/src/stream/implementations/RedisJobStore.ts b/packages/api/src/stream/implementations/RedisJobStore.ts index cce636d5a1..a0d26d087f 100644 --- a/packages/api/src/stream/implementations/RedisJobStore.ts +++ b/packages/api/src/stream/implementations/RedisJobStore.ts @@ -156,13 +156,13 @@ export class RedisJobStore implements IJobStore { // For cluster mode, we can't pipeline keys on different slots // The job key uses hash tag {streamId}, runningJobs and userJobs are on different slots if (this.isCluster) { - await this.redis.hmset(key, this.serializeJob(job)); + await this.redis.hset(key, this.serializeJob(job)); await this.redis.expire(key, this.ttl.running); await this.redis.sadd(KEYS.runningJobs, streamId); await this.redis.sadd(userJobsKey, streamId); } else { const pipeline = this.redis.pipeline(); - pipeline.hmset(key, this.serializeJob(job)); + pipeline.hset(key, this.serializeJob(job)); pipeline.expire(key, this.ttl.running); pipeline.sadd(KEYS.runningJobs, streamId); pipeline.sadd(userJobsKey, streamId); @@ -183,17 +183,23 @@ export class RedisJobStore implements IJobStore { async updateJob(streamId: string, updates: Partial): Promise { const key = KEYS.job(streamId); - const exists = await this.redis.exists(key); - if (!exists) { - return; - } const serialized = this.serializeJob(updates as SerializableJobData); if (Object.keys(serialized).length === 0) { return; } - await this.redis.hmset(key, serialized); + const fields = Object.entries(serialized).flat(); + const updated = await this.redis.eval( + 'if redis.call("EXISTS", KEYS[1]) == 1 then redis.call("HSET", KEYS[1], unpack(ARGV)) return 1 else return 0 end', + 1, + key, + ...fields, + ); + + if (updated === 0) { + return; + } // If status changed to complete/error/aborted, update TTL and remove from running set // Note: userJobs cleanup is handled lazily via self-healing in getActiveJobIdsByUser From 3888dfa4898e0031fcd5ac1cc54a83f83315997a Mon Sep 17 00:00:00 2001 From: Ganesh Bhat <10886770+bhat-ganesh@users.noreply.github.com> Date: Fri, 13 Feb 2026 10:27:51 -0500 Subject: [PATCH 18/55] =?UTF-8?q?=E2=9B=B5=20feat:=20Expose=20enableServic?= =?UTF-8?q?eLinks=20in=20Helm=20Deployment=20Templates=20(#11741)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🐳 feat: Expose enableServiceLinks in Helm Deployment templates (#11740) Allow users to disable Kubernetes service link injection via enableServiceLinks in both LibreChat and RAG API Helm charts. This prevents pod startup failures caused by "argument list too long" errors in namespaces with many services. * Update helm/librechat/templates/deployment.yaml * Update helm/librechat-rag-api/templates/rag-deployment.yaml * set enableServiceLinks default to true --------- Co-authored-by: Ganesh Bhat --- helm/librechat-rag-api/Chart.yaml | 2 +- helm/librechat-rag-api/templates/rag-deployment.yaml | 3 +++ helm/librechat-rag-api/values.yaml | 5 +++++ helm/librechat/Chart.yaml | 4 ++-- helm/librechat/templates/deployment.yaml | 3 +++ helm/librechat/values.yaml | 5 +++++ 6 files changed, 19 insertions(+), 3 deletions(-) diff --git a/helm/librechat-rag-api/Chart.yaml b/helm/librechat-rag-api/Chart.yaml index 38d1470e49..cc382f0501 100755 --- a/helm/librechat-rag-api/Chart.yaml +++ b/helm/librechat-rag-api/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.2 +version: 0.5.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/librechat-rag-api/templates/rag-deployment.yaml b/helm/librechat-rag-api/templates/rag-deployment.yaml index 5324ee3f7e..1978260723 100755 --- a/helm/librechat-rag-api/templates/rag-deployment.yaml +++ b/helm/librechat-rag-api/templates/rag-deployment.yaml @@ -26,6 +26,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if kindIs "bool" .Values.enableServiceLinks }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: diff --git a/helm/librechat-rag-api/values.yaml b/helm/librechat-rag-api/values.yaml index cd722bc096..3e1b61208a 100755 --- a/helm/librechat-rag-api/values.yaml +++ b/helm/librechat-rag-api/values.yaml @@ -40,6 +40,11 @@ fullnameOverride: '' podAnnotations: {} podLabels: {} +# Enable or disable injection of service environment variables into pods. +# When running in namespaces with many services, the injected variables can cause +# "argument list too long" errors. Set to false to disable. +enableServiceLinks: true + podSecurityContext: {} # fsGroup: 2000 securityContext: {} diff --git a/helm/librechat/Chart.yaml b/helm/librechat/Chart.yaml index 1e24daa280..296b20af96 100755 --- a/helm/librechat/Chart.yaml +++ b/helm/librechat/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.9.7 +version: 1.9.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -37,6 +37,6 @@ dependencies: condition: meilisearch.enabled repository: "https://meilisearch.github.io/meilisearch-kubernetes" - name: librechat-rag-api - version: "0.5.2" + version: "0.5.3" condition: librechat-rag-api.enabled repository: file://../librechat-rag-api diff --git a/helm/librechat/templates/deployment.yaml b/helm/librechat/templates/deployment.yaml index f8d0e58298..279749185b 100755 --- a/helm/librechat/templates/deployment.yaml +++ b/helm/librechat/templates/deployment.yaml @@ -49,6 +49,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "librechat.serviceAccountName" . }} + {{- if kindIs "bool" .Values.enableServiceLinks }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if .Values.initContainers }} diff --git a/helm/librechat/values.yaml b/helm/librechat/values.yaml index c6461ade61..f40f985954 100755 --- a/helm/librechat/values.yaml +++ b/helm/librechat/values.yaml @@ -153,6 +153,11 @@ podLabels: {} deploymentAnnotations: {} deploymentLabels: {} +# Enable or disable injection of service environment variables into pods. +# When running in namespaces with many services, the injected variables can cause +# "argument list too long" errors. Set to false to disable. +enableServiceLinks: true + podSecurityContext: fsGroup: 2000 From 2e42378b165dd5b4760b52d5c12b60f09f16ff8e Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 10:35:51 -0500 Subject: [PATCH 19/55] =?UTF-8?q?=F0=9F=94=92=20fix:=20Secure=20Cookie=20L?= =?UTF-8?q?ocalhost=20Bypass=20and=20OpenID=20Token=20Selection=20in=20Aut?= =?UTF-8?q?hService=20(#11782)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService Two independent bugs in `api/server/services/AuthService.js` cause complete authentication failure when using `OPENID_REUSE_TOKENS=true` with Microsoft Entra ID (or Auth0) on `http://localhost` with `NODE_ENV=production`: Bug 1: `secure: isProduction` prevents auth cookies on localhost PR #11518 introduced `shouldUseSecureCookie()` in `socialLogins.js` to handle the case where `NODE_ENV=production` but the server runs on `http://localhost`. However, `AuthService.js` was not updated — it still used `secure: isProduction` in 6 cookie locations across `setAuthTokens()` and `setOpenIDAuthTokens()`. The `token_provider` cookie being dropped is critical: without it, `requireJwtAuth` middleware defaults to the `jwt` strategy instead of `openidJwt`, causing all authenticated requests to return 401. Bug 2: `setOpenIDAuthTokens()` returns `access_token` instead of `id_token` The `openIdJwtStrategy` validates the Bearer token via JWKS. For Entra ID without `OPENID_AUDIENCE`, the `access_token` is a Microsoft Graph API token (opaque or signed for a different audience), which fails JWKS validation. The `id_token` is always a standard JWT signed by the IdP's JWKS keys with the app's `client_id` as audience — which is what the strategy expects. This is the same root cause as issue #8796 (Auth0 encrypted access tokens). Changes: - Consolidate `shouldUseSecureCookie()` into `packages/api/src/oauth/csrf.ts` as a shared, typed utility exported from `@librechat/api`, replacing the duplicate definitions in `AuthService.js` and `socialLogins.js` - Move `isProduction` check inside the function body so it is evaluated at call time rather than module load time - Fix `packages/api/src/oauth/csrf.ts` which also used bare `secure: isProduction` for CSRF and session cookies (same localhost bug) - Return `tokenset.id_token || tokenset.access_token` from `setOpenIDAuthTokens()` so JWKS validation works with standard OIDC providers; falls back to `access_token` for backward compatibility - Add 15 tests for `shouldUseSecureCookie()` covering production/dev modes, localhost variants, edge cases, and a documented IPv6 bracket limitation - Add 13 tests for `setOpenIDAuthTokens()` covering token selection, session storage, cookie secure flag delegation, and edge cases Refs: #8796, #11518, #11236, #9931 * chore: Adjust Import Order and Type Definitions in AgentPanel Component - Reordered imports in `AgentPanel.tsx` for better organization and clarity. - Updated type imports to ensure proper usage of `FieldNamesMarkedBoolean` and `TranslationKeys`. - Removed redundant imports to streamline the codebase. --- api/server/services/AuthService.js | 34 ++- api/server/services/AuthService.spec.js | 269 ++++++++++++++++++ api/server/socialLogins.js | 34 +-- .../SidePanel/Agents/AgentPanel.tsx | 9 +- packages/api/src/oauth/csrf.spec.ts | 99 +++++++ packages/api/src/oauth/csrf.ts | 36 ++- 6 files changed, 431 insertions(+), 50 deletions(-) create mode 100644 api/server/services/AuthService.spec.js create mode 100644 packages/api/src/oauth/csrf.spec.ts diff --git a/api/server/services/AuthService.js b/api/server/services/AuthService.js index a400bce8b7..03122cb559 100644 --- a/api/server/services/AuthService.js +++ b/api/server/services/AuthService.js @@ -7,7 +7,13 @@ const { DEFAULT_REFRESH_TOKEN_EXPIRY, } = require('@librechat/data-schemas'); const { ErrorTypes, SystemRoles, errorsToString } = require('librechat-data-provider'); -const { isEnabled, checkEmailConfig, isEmailDomainAllowed, math } = require('@librechat/api'); +const { + math, + isEnabled, + checkEmailConfig, + isEmailDomainAllowed, + shouldUseSecureCookie, +} = require('@librechat/api'); const { findUser, findToken, @@ -33,7 +39,6 @@ const domains = { server: process.env.DOMAIN_SERVER, }; -const isProduction = process.env.NODE_ENV === 'production'; const genericVerificationMessage = 'Please check your email to verify your email address.'; /** @@ -392,13 +397,13 @@ const setAuthTokens = async (userId, res, _session = null) => { res.cookie('refreshToken', refreshToken, { expires: new Date(refreshTokenExpires), httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); res.cookie('token_provider', 'librechat', { expires: new Date(refreshTokenExpires), httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); return token; @@ -419,7 +424,7 @@ const setAuthTokens = async (userId, res, _session = null) => { * @param {Object} req - request object (for session access) * @param {Object} res - response object * @param {string} [userId] - Optional MongoDB user ID for image path validation - * @returns {String} - access token + * @returns {String} - id_token (preferred) or access_token as the app auth token */ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) => { try { @@ -448,6 +453,15 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = return; } + /** + * Use id_token as the app authentication token (Bearer token for JWKS validation). + * The id_token is always a standard JWT signed by the IdP's JWKS keys with the app's + * client_id as audience. The access_token may be opaque or intended for a different + * audience (e.g., Microsoft Graph API), which fails JWKS validation. + * Falls back to access_token for providers where id_token is not available. + */ + const appAuthToken = tokenset.id_token || tokenset.access_token; + /** Store tokens server-side in session to avoid large cookies */ if (req.session) { req.session.openidTokens = { @@ -460,13 +474,13 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = res.cookie('refreshToken', refreshToken, { expires: expirationDate, httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); res.cookie('openid_access_token', tokenset.access_token, { expires: expirationDate, httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); } @@ -475,7 +489,7 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = res.cookie('token_provider', 'openid', { expires: expirationDate, httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); if (userId && isEnabled(process.env.OPENID_REUSE_TOKENS)) { @@ -486,11 +500,11 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = res.cookie('openid_user_id', signedUserId, { expires: expirationDate, httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); } - return tokenset.access_token; + return appAuthToken; } catch (error) { logger.error('[setOpenIDAuthTokens] Error in setting authentication tokens:', error); throw error; diff --git a/api/server/services/AuthService.spec.js b/api/server/services/AuthService.spec.js new file mode 100644 index 0000000000..da78f8d775 --- /dev/null +++ b/api/server/services/AuthService.spec.js @@ -0,0 +1,269 @@ +jest.mock('@librechat/data-schemas', () => ({ + logger: { info: jest.fn(), warn: jest.fn(), debug: jest.fn(), error: jest.fn() }, + DEFAULT_SESSION_EXPIRY: 900000, + DEFAULT_REFRESH_TOKEN_EXPIRY: 604800000, +})); +jest.mock('librechat-data-provider', () => ({ + ErrorTypes: {}, + SystemRoles: { USER: 'USER', ADMIN: 'ADMIN' }, + errorsToString: jest.fn(), +})); +jest.mock('@librechat/api', () => ({ + isEnabled: jest.fn((val) => val === 'true' || val === true), + checkEmailConfig: jest.fn(), + isEmailDomainAllowed: jest.fn(), + math: jest.fn((val, fallback) => (val ? Number(val) : fallback)), + shouldUseSecureCookie: jest.fn(() => false), +})); +jest.mock('~/models', () => ({ + findUser: jest.fn(), + findToken: jest.fn(), + createUser: jest.fn(), + updateUser: jest.fn(), + countUsers: jest.fn(), + getUserById: jest.fn(), + findSession: jest.fn(), + createToken: jest.fn(), + deleteTokens: jest.fn(), + deleteSession: jest.fn(), + createSession: jest.fn(), + generateToken: jest.fn(), + deleteUserById: jest.fn(), + generateRefreshToken: jest.fn(), +})); +jest.mock('~/strategies/validators', () => ({ registerSchema: { parse: jest.fn() } })); +jest.mock('~/server/services/Config', () => ({ getAppConfig: jest.fn() })); +jest.mock('~/server/utils', () => ({ sendEmail: jest.fn() })); + +const { shouldUseSecureCookie } = require('@librechat/api'); +const { setOpenIDAuthTokens } = require('./AuthService'); + +/** Helper to build a mock Express response */ +function mockResponse() { + const cookies = {}; + const res = { + cookie: jest.fn((name, value, options) => { + cookies[name] = { value, options }; + }), + _cookies: cookies, + }; + return res; +} + +/** Helper to build a mock Express request with session */ +function mockRequest(sessionData = {}) { + return { + session: { openidTokens: null, ...sessionData }, + }; +} + +describe('setOpenIDAuthTokens', () => { + const env = process.env; + + beforeEach(() => { + jest.clearAllMocks(); + process.env = { + ...env, + JWT_REFRESH_SECRET: 'test-refresh-secret', + OPENID_REUSE_TOKENS: 'true', + }; + }); + + afterAll(() => { + process.env = env; + }); + + describe('token selection (id_token vs access_token)', () => { + it('should return id_token when both id_token and access_token are present', () => { + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBe('the-id-token'); + }); + + it('should return access_token when id_token is not available', () => { + const tokenset = { + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBe('the-access-token'); + }); + + it('should return access_token when id_token is undefined', () => { + const tokenset = { + id_token: undefined, + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBe('the-access-token'); + }); + + it('should return access_token when id_token is null', () => { + const tokenset = { + id_token: null, + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBe('the-access-token'); + }); + + it('should return id_token even when id_token and access_token differ', () => { + const tokenset = { + id_token: 'id-token-jwt-signed-by-idp', + access_token: 'opaque-graph-api-token', + refresh_token: 'refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBe('id-token-jwt-signed-by-idp'); + expect(result).not.toBe('opaque-graph-api-token'); + }); + }); + + describe('session token storage', () => { + it('should store the original access_token in session (not id_token)', () => { + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + + expect(req.session.openidTokens.accessToken).toBe('the-access-token'); + expect(req.session.openidTokens.refreshToken).toBe('the-refresh-token'); + }); + }); + + describe('cookie secure flag', () => { + it('should call shouldUseSecureCookie for every cookie set', () => { + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + + // token_provider + openid_user_id (session path, so no refreshToken/openid_access_token cookies) + const secureCalls = shouldUseSecureCookie.mock.calls.length; + expect(secureCalls).toBeGreaterThanOrEqual(2); + + // Verify all cookies use the result of shouldUseSecureCookie + for (const [, cookie] of Object.entries(res._cookies)) { + expect(cookie.options.secure).toBe(false); + } + }); + + it('should set secure: true when shouldUseSecureCookie returns true', () => { + shouldUseSecureCookie.mockReturnValue(true); + + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + + for (const [, cookie] of Object.entries(res._cookies)) { + expect(cookie.options.secure).toBe(true); + } + }); + + it('should use shouldUseSecureCookie for cookie fallback path (no session)', () => { + shouldUseSecureCookie.mockReturnValue(false); + + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + refresh_token: 'the-refresh-token', + }; + const req = { session: null }; + const res = mockResponse(); + + setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + + // In the cookie fallback path, we get: refreshToken, openid_access_token, token_provider, openid_user_id + expect(res.cookie).toHaveBeenCalledWith( + 'refreshToken', + expect.any(String), + expect.objectContaining({ secure: false }), + ); + expect(res.cookie).toHaveBeenCalledWith( + 'openid_access_token', + expect.any(String), + expect.objectContaining({ secure: false }), + ); + expect(res.cookie).toHaveBeenCalledWith( + 'token_provider', + 'openid', + expect.objectContaining({ secure: false }), + ); + }); + }); + + describe('edge cases', () => { + it('should return undefined when tokenset is null', () => { + const req = mockRequest(); + const res = mockResponse(); + const result = setOpenIDAuthTokens(null, req, res, 'user-123'); + expect(result).toBeUndefined(); + }); + + it('should return undefined when access_token is missing', () => { + const tokenset = { refresh_token: 'refresh' }; + const req = mockRequest(); + const res = mockResponse(); + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBeUndefined(); + }); + + it('should return undefined when no refresh token is available', () => { + const tokenset = { access_token: 'access', id_token: 'id' }; + const req = mockRequest(); + const res = mockResponse(); + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123'); + expect(result).toBeUndefined(); + }); + + it('should use existingRefreshToken when tokenset has no refresh_token', () => { + const tokenset = { + id_token: 'the-id-token', + access_token: 'the-access-token', + }; + const req = mockRequest(); + const res = mockResponse(); + + const result = setOpenIDAuthTokens(tokenset, req, res, 'user-123', 'existing-refresh'); + expect(result).toBe('the-id-token'); + expect(req.session.openidTokens.refreshToken).toBe('existing-refresh'); + }); + }); +}); diff --git a/api/server/socialLogins.js b/api/server/socialLogins.js index cf67fa9436..a84c33bd52 100644 --- a/api/server/socialLogins.js +++ b/api/server/socialLogins.js @@ -1,7 +1,7 @@ const passport = require('passport'); const session = require('express-session'); -const { isEnabled } = require('@librechat/api'); const { CacheKeys } = require('librechat-data-provider'); +const { isEnabled, shouldUseSecureCookie } = require('@librechat/api'); const { logger, DEFAULT_SESSION_EXPIRY } = require('@librechat/data-schemas'); const { openIdJwtLogin, @@ -15,38 +15,6 @@ const { } = require('~/strategies'); const { getLogStores } = require('~/cache'); -/** - * Determines if secure cookies should be used. - * Only use secure cookies in production when not on localhost. - * @returns {boolean} - */ -function shouldUseSecureCookie() { - const isProduction = process.env.NODE_ENV === 'production'; - const domainServer = process.env.DOMAIN_SERVER || ''; - - let hostname = ''; - if (domainServer) { - try { - const normalized = /^https?:\/\//i.test(domainServer) - ? domainServer - : `http://${domainServer}`; - const url = new URL(normalized); - hostname = (url.hostname || '').toLowerCase(); - } catch { - // Fallback: treat DOMAIN_SERVER directly as a hostname-like string - hostname = domainServer.toLowerCase(); - } - } - - const isLocalhost = - hostname === 'localhost' || - hostname === '127.0.0.1' || - hostname === '::1' || - hostname.endsWith('.localhost'); - - return isProduction && !isLocalhost; -} - /** * Configures OpenID Connect for the application. * @param {Express.Application} app - The Express application instance. diff --git a/client/src/components/SidePanel/Agents/AgentPanel.tsx b/client/src/components/SidePanel/Agents/AgentPanel.tsx index f74dcfddcc..890488e88d 100644 --- a/client/src/components/SidePanel/Agents/AgentPanel.tsx +++ b/client/src/components/SidePanel/Agents/AgentPanel.tsx @@ -1,7 +1,7 @@ -import { Plus } from 'lucide-react'; import React, { useMemo, useCallback, useRef, useState } from 'react'; +import { Plus } from 'lucide-react'; import { Button, useToastContext } from '@librechat/client'; -import { useWatch, useForm, FormProvider, type FieldNamesMarkedBoolean } from 'react-hook-form'; +import { useWatch, useForm, FormProvider } from 'react-hook-form'; import { useGetModelsQuery } from 'librechat-data-provider/react-query'; import { Tools, @@ -11,8 +11,10 @@ import { PermissionBits, isAssistantsEndpoint, } from 'librechat-data-provider'; -import type { AgentForm, StringOption } from '~/common'; +import type { FieldNamesMarkedBoolean } from 'react-hook-form'; import type { Agent } from 'librechat-data-provider'; +import type { TranslationKeys } from '~/hooks/useLocalize'; +import type { AgentForm, StringOption } from '~/common'; import { useCreateAgentMutation, useUpdateAgentMutation, @@ -23,7 +25,6 @@ import { import { createProviderOption, getDefaultAgentFormValues } from '~/utils'; import { useResourcePermissions } from '~/hooks/useResourcePermissions'; import { useSelectAgent, useLocalize, useAuthContext } from '~/hooks'; -import type { TranslationKeys } from '~/hooks/useLocalize'; import { useAgentPanelContext } from '~/Providers/AgentPanelContext'; import AgentPanelSkeleton from './AgentPanelSkeleton'; import AdvancedPanel from './Advanced/AdvancedPanel'; diff --git a/packages/api/src/oauth/csrf.spec.ts b/packages/api/src/oauth/csrf.spec.ts new file mode 100644 index 0000000000..b56f1fd38f --- /dev/null +++ b/packages/api/src/oauth/csrf.spec.ts @@ -0,0 +1,99 @@ +import { shouldUseSecureCookie } from './csrf'; + +describe('shouldUseSecureCookie', () => { + const originalEnv = process.env; + + beforeEach(() => { + process.env = { ...originalEnv }; + }); + + afterAll(() => { + process.env = originalEnv; + }); + + it('should return true in production with a non-localhost domain', () => { + process.env.NODE_ENV = 'production'; + process.env.DOMAIN_SERVER = 'https://myapp.example.com'; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should return false in development regardless of domain', () => { + process.env.NODE_ENV = 'development'; + process.env.DOMAIN_SERVER = 'https://myapp.example.com'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return false when NODE_ENV is not set', () => { + delete process.env.NODE_ENV; + process.env.DOMAIN_SERVER = 'https://myapp.example.com'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + describe('localhost detection in production', () => { + beforeEach(() => { + process.env.NODE_ENV = 'production'; + }); + + it('should return false for http://localhost:3080', () => { + process.env.DOMAIN_SERVER = 'http://localhost:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return false for https://localhost:3080', () => { + process.env.DOMAIN_SERVER = 'https://localhost:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return false for http://localhost (no port)', () => { + process.env.DOMAIN_SERVER = 'http://localhost'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return false for http://127.0.0.1:3080', () => { + process.env.DOMAIN_SERVER = 'http://127.0.0.1:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return true for http://[::1]:3080 (IPv6 loopback — not detected due to URL bracket parsing)', () => { + // Known limitation: new URL('http://[::1]:3080').hostname returns '[::1]' (with brackets) + // but the check compares against '::1' (without brackets). IPv6 localhost is rare in practice. + process.env.DOMAIN_SERVER = 'http://[::1]:3080'; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should return false for subdomain of localhost', () => { + process.env.DOMAIN_SERVER = 'http://app.localhost:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should return true for a domain containing "localhost" as a substring but not as hostname', () => { + process.env.DOMAIN_SERVER = 'https://notlocalhost.example.com'; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should return true for a regular production domain', () => { + process.env.DOMAIN_SERVER = 'https://chat.example.com'; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should return true when DOMAIN_SERVER is empty (conservative default)', () => { + process.env.DOMAIN_SERVER = ''; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should return true when DOMAIN_SERVER is not set (conservative default)', () => { + delete process.env.DOMAIN_SERVER; + expect(shouldUseSecureCookie()).toBe(true); + }); + + it('should handle DOMAIN_SERVER without protocol prefix', () => { + process.env.DOMAIN_SERVER = 'localhost:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + + it('should handle case-insensitive hostnames', () => { + process.env.DOMAIN_SERVER = 'http://LOCALHOST:3080'; + expect(shouldUseSecureCookie()).toBe(false); + }); + }); +}); diff --git a/packages/api/src/oauth/csrf.ts b/packages/api/src/oauth/csrf.ts index 5bf0566b45..6ed63968d1 100644 --- a/packages/api/src/oauth/csrf.ts +++ b/packages/api/src/oauth/csrf.ts @@ -8,7 +8,37 @@ export const OAUTH_SESSION_COOKIE = 'oauth_session'; export const OAUTH_SESSION_MAX_AGE = 24 * 60 * 60 * 1000; export const OAUTH_SESSION_COOKIE_PATH = '/api'; -const isProduction = process.env.NODE_ENV === 'production'; +/** + * Determines if secure cookies should be used. + * Returns `true` in production unless the server is running on localhost (HTTP). + * This allows cookies to work on `http://localhost` during local development + * even when `NODE_ENV=production` (common in Docker Compose setups). + */ +export function shouldUseSecureCookie(): boolean { + const isProduction = process.env.NODE_ENV === 'production'; + const domainServer = process.env.DOMAIN_SERVER || ''; + + let hostname = ''; + if (domainServer) { + try { + const normalized = /^https?:\/\//i.test(domainServer) + ? domainServer + : `http://${domainServer}`; + const url = new URL(normalized); + hostname = (url.hostname || '').toLowerCase(); + } catch { + hostname = domainServer.toLowerCase(); + } + } + + const isLocalhost = + hostname === 'localhost' || + hostname === '127.0.0.1' || + hostname === '::1' || + hostname.endsWith('.localhost'); + + return isProduction && !isLocalhost; +} /** Generates an HMAC-based token for OAuth CSRF protection */ export function generateOAuthCsrfToken(flowId: string, secret?: string): string { @@ -23,7 +53,7 @@ export function generateOAuthCsrfToken(flowId: string, secret?: string): string export function setOAuthCsrfCookie(res: Response, flowId: string, cookiePath: string): void { res.cookie(OAUTH_CSRF_COOKIE, generateOAuthCsrfToken(flowId), { httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'lax', maxAge: OAUTH_CSRF_MAX_AGE, path: cookiePath, @@ -68,7 +98,7 @@ export function setOAuthSession(req: Request, res: Response, next: NextFunction) export function setOAuthSessionCookie(res: Response, userId: string): void { res.cookie(OAUTH_SESSION_COOKIE, generateOAuthCsrfToken(userId), { httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'lax', maxAge: OAUTH_SESSION_MAX_AGE, path: OAUTH_SESSION_COOKIE_PATH, From 8e3b717e99959d7dc00ee111a7d42e3aca6d1d4b Mon Sep 17 00:00:00 2001 From: Callum Keogan <48253321+calkeo@users.noreply.github.com> Date: Fri, 13 Feb 2026 15:43:25 +0000 Subject: [PATCH 20/55] =?UTF-8?q?=F0=9F=A6=99=20fix:=20Memory=20Agent=20Fa?= =?UTF-8?q?ils=20to=20Initialize=20with=20Ollama=20Provider=20(#11680)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixed an issue where memory agents would fail with 'Provider Ollama not supported' error when using Ollama as a custom endpoint. The getCustomEndpointConfig function was only normalizing the endpoint config name but not the endpoint parameter during comparison. Changes: - Modified getCustomEndpointConfig to normalize both sides of the endpoint comparison - Added comprehensive test coverage for getCustomEndpointConfig including: - Test for case-insensitive Ollama endpoint matching (main fix) - Tests for various edge cases and error handling This ensures that endpoint name matching works correctly for Ollama regardless of case sensitivity in the configuration. --- packages/api/src/app/config.test.ts | 78 +++++++++++++++++++++++++++-- packages/api/src/app/config.ts | 2 +- 2 files changed, 76 insertions(+), 4 deletions(-) diff --git a/packages/api/src/app/config.test.ts b/packages/api/src/app/config.test.ts index f85bb8a62c..3e2ee6d143 100644 --- a/packages/api/src/app/config.test.ts +++ b/packages/api/src/app/config.test.ts @@ -1,7 +1,7 @@ -import { getTransactionsConfig, getBalanceConfig } from './config'; +import { getTransactionsConfig, getBalanceConfig, getCustomEndpointConfig } from './config'; import { logger } from '@librechat/data-schemas'; -import { FileSources } from 'librechat-data-provider'; -import type { TCustomConfig } from 'librechat-data-provider'; +import { FileSources, EModelEndpoint } from 'librechat-data-provider'; +import type { TCustomConfig, TEndpoint } from 'librechat-data-provider'; import type { AppConfig } from '@librechat/data-schemas'; // Helper function to create a minimal AppConfig for testing @@ -282,3 +282,75 @@ describe('getBalanceConfig', () => { }); }); }); + +describe('getCustomEndpointConfig', () => { + describe('when appConfig is not provided', () => { + it('should throw an error', () => { + expect(() => getCustomEndpointConfig({ endpoint: 'test' })).toThrow( + 'Config not found for the test custom endpoint.', + ); + }); + }); + + describe('when appConfig is provided', () => { + it('should return undefined when no custom endpoints are configured', () => { + const appConfig = createTestAppConfig(); + const result = getCustomEndpointConfig({ endpoint: 'test', appConfig }); + expect(result).toBeUndefined(); + }); + + it('should return the matching endpoint config when found', () => { + const appConfig = createTestAppConfig({ + endpoints: { + [EModelEndpoint.custom]: [ + { + name: 'TestEndpoint', + apiKey: 'test-key', + } as TEndpoint, + ], + }, + }); + + const result = getCustomEndpointConfig({ endpoint: 'TestEndpoint', appConfig }); + expect(result).toEqual({ + name: 'TestEndpoint', + apiKey: 'test-key', + }); + }); + + it('should handle case-insensitive matching for Ollama endpoint', () => { + const appConfig = createTestAppConfig({ + endpoints: { + [EModelEndpoint.custom]: [ + { + name: 'Ollama', + apiKey: 'ollama-key', + } as TEndpoint, + ], + }, + }); + + const result = getCustomEndpointConfig({ endpoint: 'Ollama', appConfig }); + expect(result).toEqual({ + name: 'Ollama', + apiKey: 'ollama-key', + }); + }); + + it('should handle mixed case endpoint names', () => { + const appConfig = createTestAppConfig({ + endpoints: { + [EModelEndpoint.custom]: [ + { + name: 'CustomAI', + apiKey: 'custom-key', + } as TEndpoint, + ], + }, + }); + + const result = getCustomEndpointConfig({ endpoint: 'customai', appConfig }); + expect(result).toBeUndefined(); + }); + }); +}); diff --git a/packages/api/src/app/config.ts b/packages/api/src/app/config.ts index 38144dee2b..0a2fb3e6f9 100644 --- a/packages/api/src/app/config.ts +++ b/packages/api/src/app/config.ts @@ -64,7 +64,7 @@ export const getCustomEndpointConfig = ({ const customEndpoints = appConfig.endpoints?.[EModelEndpoint.custom] ?? []; return customEndpoints.find( - (endpointConfig) => normalizeEndpointName(endpointConfig.name) === endpoint, + (endpointConfig) => normalizeEndpointName(endpointConfig.name) === normalizeEndpointName(endpoint), ); }; From dc89e0003948cdb8044f0c61974788996a1e1897 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B3n=20Levy?= Date: Fri, 13 Feb 2026 16:07:39 +0000 Subject: [PATCH 21/55] =?UTF-8?q?=F0=9F=AA=99=20refactor:=20Distinguish=20?= =?UTF-8?q?ID=20Tokens=20from=20Access=20Tokens=20in=20OIDC=20Federated=20?= =?UTF-8?q?Auth=20(#11711)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(openid): distinguish ID tokens from access tokens in federated auth Fix OpenID Connect token handling to properly distinguish ID tokens from access tokens. ID tokens and access tokens are now stored and propagated separately, preventing token placeholders from resolving to identical values. - AuthService.js: Added idToken field to session storage - openIdJwtStrategy.js: Updated to read idToken from session - openidStrategy.js: Explicitly included id_token in federatedTokens - Test suites: Added comprehensive test coverage for token distinction Co-Authored-By: Claude Opus 4.6 * fix(openid): add separate openid_id_token cookie for ID token storage Store the OIDC ID token in its own cookie rather than relying solely on the access token, ensuring correct token type is used for identity verification vs API authorization. Co-Authored-By: Claude Opus 4.6 * test(openid): add JWT strategy cookie fallback tests Cover the token source resolution logic in openIdJwtStrategy: session-only, cookie-only, partial session fallback, raw Bearer fallback, and distinct id_token/access_token from cookies. Co-Authored-By: Claude Opus 4.6 --------- Co-authored-by: Claude Opus 4.6 --- api/cache/banViolation.js | 1 + .../controllers/auth/LogoutController.js | 1 + api/server/services/AuthService.js | 9 + api/strategies/openIdJwtStrategy.js | 6 +- api/strategies/openIdJwtStrategy.spec.js | 183 ++++++++++++++++++ api/strategies/openidStrategy.js | 1 + api/strategies/openidStrategy.spec.js | 26 ++- packages/api/src/utils/oidc.spec.ts | 29 +++ 8 files changed, 253 insertions(+), 3 deletions(-) create mode 100644 api/strategies/openIdJwtStrategy.spec.js diff --git a/api/cache/banViolation.js b/api/cache/banViolation.js index 122355edb1..4d321889c1 100644 --- a/api/cache/banViolation.js +++ b/api/cache/banViolation.js @@ -55,6 +55,7 @@ const banViolation = async (req, res, errorMessage) => { res.clearCookie('refreshToken'); res.clearCookie('openid_access_token'); + res.clearCookie('openid_id_token'); res.clearCookie('openid_user_id'); res.clearCookie('token_provider'); diff --git a/api/server/controllers/auth/LogoutController.js b/api/server/controllers/auth/LogoutController.js index ec66316285..0b3cf262b8 100644 --- a/api/server/controllers/auth/LogoutController.js +++ b/api/server/controllers/auth/LogoutController.js @@ -22,6 +22,7 @@ const logoutController = async (req, res) => { res.clearCookie('refreshToken'); res.clearCookie('openid_access_token'); + res.clearCookie('openid_id_token'); res.clearCookie('openid_user_id'); res.clearCookie('token_provider'); const response = { message }; diff --git a/api/server/services/AuthService.js b/api/server/services/AuthService.js index 03122cb559..1280f9f358 100644 --- a/api/server/services/AuthService.js +++ b/api/server/services/AuthService.js @@ -466,6 +466,7 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = if (req.session) { req.session.openidTokens = { accessToken: tokenset.access_token, + idToken: tokenset.id_token, refreshToken: refreshToken, expiresAt: expirationDate.getTime(), }; @@ -483,6 +484,14 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = secure: shouldUseSecureCookie(), sameSite: 'strict', }); + if (tokenset.id_token) { + res.cookie('openid_id_token', tokenset.id_token, { + expires: expirationDate, + httpOnly: true, + secure: isProduction, + sameSite: 'strict', + }); + } } /** Small cookie to indicate token provider (required for auth middleware) */ diff --git a/api/strategies/openIdJwtStrategy.js b/api/strategies/openIdJwtStrategy.js index df318ca30e..997dcec397 100644 --- a/api/strategies/openIdJwtStrategy.js +++ b/api/strategies/openIdJwtStrategy.js @@ -84,19 +84,21 @@ const openIdJwtLogin = (openIdConfig) => { /** Read tokens from session (server-side) to avoid large cookie issues */ const sessionTokens = req.session?.openidTokens; let accessToken = sessionTokens?.accessToken; + let idToken = sessionTokens?.idToken; let refreshToken = sessionTokens?.refreshToken; /** Fallback to cookies for backward compatibility */ - if (!accessToken || !refreshToken) { + if (!accessToken || !refreshToken || !idToken) { const cookieHeader = req.headers.cookie; const parsedCookies = cookieHeader ? cookies.parse(cookieHeader) : {}; accessToken = accessToken || parsedCookies.openid_access_token; + idToken = idToken || parsedCookies.openid_id_token; refreshToken = refreshToken || parsedCookies.refreshToken; } user.federatedTokens = { access_token: accessToken || rawToken, - id_token: rawToken, + id_token: idToken, refresh_token: refreshToken, expires_at: payload.exp, }; diff --git a/api/strategies/openIdJwtStrategy.spec.js b/api/strategies/openIdJwtStrategy.spec.js new file mode 100644 index 0000000000..566afe5a90 --- /dev/null +++ b/api/strategies/openIdJwtStrategy.spec.js @@ -0,0 +1,183 @@ +const { SystemRoles } = require('librechat-data-provider'); + +// --- Capture the verify callback from JwtStrategy --- +let capturedVerifyCallback; +jest.mock('passport-jwt', () => ({ + Strategy: jest.fn((_opts, verifyCallback) => { + capturedVerifyCallback = verifyCallback; + return { name: 'jwt' }; + }), + ExtractJwt: { + fromAuthHeaderAsBearerToken: jest.fn(() => 'mock-extractor'), + }, +})); +jest.mock('jwks-rsa', () => ({ + passportJwtSecret: jest.fn(() => 'mock-secret-provider'), +})); +jest.mock('https-proxy-agent', () => ({ + HttpsProxyAgent: jest.fn(), +})); +jest.mock('@librechat/data-schemas', () => ({ + logger: { info: jest.fn(), warn: jest.fn(), debug: jest.fn(), error: jest.fn() }, +})); +jest.mock('@librechat/api', () => ({ + isEnabled: jest.fn(() => false), + findOpenIDUser: jest.fn(), + math: jest.fn((val, fallback) => fallback), +})); +jest.mock('~/models', () => ({ + findUser: jest.fn(), + updateUser: jest.fn(), +})); + +const { findOpenIDUser } = require('@librechat/api'); +const { updateUser } = require('~/models'); +const openIdJwtLogin = require('./openIdJwtStrategy'); + +// Helper: build a mock openIdConfig +const mockOpenIdConfig = { + serverMetadata: () => ({ jwks_uri: 'https://example.com/.well-known/jwks.json' }), +}; + +// Helper: invoke the captured verify callback +async function invokeVerify(req, payload) { + return new Promise((resolve, reject) => { + capturedVerifyCallback(req, payload, (err, user, info) => { + if (err) { + return reject(err); + } + resolve({ user, info }); + }); + }); +} + +describe('openIdJwtStrategy – token source handling', () => { + const baseUser = { + _id: { toString: () => 'user-abc' }, + role: SystemRoles.USER, + provider: 'openid', + }; + + const payload = { sub: 'oidc-123', email: 'test@example.com', exp: 9999999999 }; + + beforeEach(() => { + jest.clearAllMocks(); + findOpenIDUser.mockResolvedValue({ user: { ...baseUser }, error: null, migration: false }); + updateUser.mockResolvedValue({}); + + // Initialize the strategy so capturedVerifyCallback is set + openIdJwtLogin(mockOpenIdConfig); + }); + + it('should read all tokens from session when available', async () => { + const req = { + headers: { authorization: 'Bearer raw-bearer-token' }, + session: { + openidTokens: { + accessToken: 'session-access', + idToken: 'session-id', + refreshToken: 'session-refresh', + }, + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens).toEqual({ + access_token: 'session-access', + id_token: 'session-id', + refresh_token: 'session-refresh', + expires_at: payload.exp, + }); + }); + + it('should fall back to cookies when session is absent', async () => { + const req = { + headers: { + authorization: 'Bearer raw-bearer-token', + cookie: + 'openid_access_token=cookie-access; openid_id_token=cookie-id; refreshToken=cookie-refresh', + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens).toEqual({ + access_token: 'cookie-access', + id_token: 'cookie-id', + refresh_token: 'cookie-refresh', + expires_at: payload.exp, + }); + }); + + it('should fall back to cookie for idToken only when session lacks it', async () => { + const req = { + headers: { + authorization: 'Bearer raw-bearer-token', + cookie: 'openid_id_token=cookie-id', + }, + session: { + openidTokens: { + accessToken: 'session-access', + // idToken intentionally missing + refreshToken: 'session-refresh', + }, + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens).toEqual({ + access_token: 'session-access', + id_token: 'cookie-id', + refresh_token: 'session-refresh', + expires_at: payload.exp, + }); + }); + + it('should use raw Bearer token as access_token fallback when neither session nor cookie has one', async () => { + const req = { + headers: { + authorization: 'Bearer raw-bearer-token', + cookie: 'openid_id_token=cookie-id; refreshToken=cookie-refresh', + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens.access_token).toBe('raw-bearer-token'); + expect(user.federatedTokens.id_token).toBe('cookie-id'); + expect(user.federatedTokens.refresh_token).toBe('cookie-refresh'); + }); + + it('should set id_token to undefined when not available in session or cookies', async () => { + const req = { + headers: { + authorization: 'Bearer raw-bearer-token', + cookie: 'openid_access_token=cookie-access; refreshToken=cookie-refresh', + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens.access_token).toBe('cookie-access'); + expect(user.federatedTokens.id_token).toBeUndefined(); + expect(user.federatedTokens.refresh_token).toBe('cookie-refresh'); + }); + + it('should keep id_token and access_token as distinct values from cookies', async () => { + const req = { + headers: { + authorization: 'Bearer raw-bearer-token', + cookie: + 'openid_access_token=the-access-token; openid_id_token=the-id-token; refreshToken=the-refresh', + }, + }; + + const { user } = await invokeVerify(req, payload); + + expect(user.federatedTokens.access_token).toBe('the-access-token'); + expect(user.federatedTokens.id_token).toBe('the-id-token'); + expect(user.federatedTokens.access_token).not.toBe(user.federatedTokens.id_token); + }); +}); diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js index c937b3dc9e..198c8735ae 100644 --- a/api/strategies/openidStrategy.js +++ b/api/strategies/openidStrategy.js @@ -590,6 +590,7 @@ async function processOpenIDAuth(tokenset, existingUsersOnly = false) { tokenset, federatedTokens: { access_token: tokenset.access_token, + id_token: tokenset.id_token, refresh_token: tokenset.refresh_token, expires_at: tokenset.expires_at, }, diff --git a/api/strategies/openidStrategy.spec.js b/api/strategies/openidStrategy.spec.js index 99b9483522..b1dc54d77b 100644 --- a/api/strategies/openidStrategy.spec.js +++ b/api/strategies/openidStrategy.spec.js @@ -775,10 +775,11 @@ describe('setupOpenId', () => { }); it('should attach federatedTokens to user object for token propagation', async () => { - // Arrange - setup tokenset with access token, refresh token, and expiration + // Arrange - setup tokenset with access token, id token, refresh token, and expiration const tokensetWithTokens = { ...tokenset, access_token: 'mock_access_token_abc123', + id_token: 'mock_id_token_def456', refresh_token: 'mock_refresh_token_xyz789', expires_at: 1234567890, }; @@ -790,16 +791,37 @@ describe('setupOpenId', () => { expect(user.federatedTokens).toBeDefined(); expect(user.federatedTokens).toEqual({ access_token: 'mock_access_token_abc123', + id_token: 'mock_id_token_def456', refresh_token: 'mock_refresh_token_xyz789', expires_at: 1234567890, }); }); + it('should include id_token in federatedTokens distinct from access_token', async () => { + // Arrange - use different values for access_token and id_token + const tokensetWithTokens = { + ...tokenset, + access_token: 'the_access_token', + id_token: 'the_id_token', + refresh_token: 'the_refresh_token', + expires_at: 9999999999, + }; + + // Act + const { user } = await validate(tokensetWithTokens); + + // Assert - id_token and access_token must be different values + expect(user.federatedTokens.access_token).toBe('the_access_token'); + expect(user.federatedTokens.id_token).toBe('the_id_token'); + expect(user.federatedTokens.id_token).not.toBe(user.federatedTokens.access_token); + }); + it('should include tokenset along with federatedTokens', async () => { // Arrange const tokensetWithTokens = { ...tokenset, access_token: 'test_access_token', + id_token: 'test_id_token', refresh_token: 'test_refresh_token', expires_at: 9999999999, }; @@ -811,7 +833,9 @@ describe('setupOpenId', () => { expect(user.tokenset).toBeDefined(); expect(user.federatedTokens).toBeDefined(); expect(user.tokenset.access_token).toBe('test_access_token'); + expect(user.tokenset.id_token).toBe('test_id_token'); expect(user.federatedTokens.access_token).toBe('test_access_token'); + expect(user.federatedTokens.id_token).toBe('test_id_token'); }); it('should set role to "ADMIN" if OPENID_ADMIN_ROLE is set and user has that role', async () => { diff --git a/packages/api/src/utils/oidc.spec.ts b/packages/api/src/utils/oidc.spec.ts index a5312e9c69..0d7216304b 100644 --- a/packages/api/src/utils/oidc.spec.ts +++ b/packages/api/src/utils/oidc.spec.ts @@ -427,6 +427,35 @@ describe('OpenID Token Utilities', () => { expect(result).toContain('User:'); }); + it('should resolve LIBRECHAT_OPENID_ID_TOKEN and LIBRECHAT_OPENID_ACCESS_TOKEN to different values', () => { + const user: Partial = { + id: 'user-123', + provider: 'openid', + openidId: 'oidc-sub-456', + email: 'test@example.com', + name: 'Test User', + federatedTokens: { + access_token: 'my-access-token', + id_token: 'my-id-token', + refresh_token: 'my-refresh-token', + expires_at: Math.floor(Date.now() / 1000) + 3600, + }, + }; + + const tokenInfo = extractOpenIDTokenInfo(user); + expect(tokenInfo).not.toBeNull(); + expect(tokenInfo!.accessToken).toBe('my-access-token'); + expect(tokenInfo!.idToken).toBe('my-id-token'); + expect(tokenInfo!.accessToken).not.toBe(tokenInfo!.idToken); + + const input = 'ACCESS={{LIBRECHAT_OPENID_ACCESS_TOKEN}}, ID={{LIBRECHAT_OPENID_ID_TOKEN}}'; + const result = processOpenIDPlaceholders(input, tokenInfo!); + + expect(result).toBe('ACCESS=my-access-token, ID=my-id-token'); + // Verify they are not the same value (the reported bug) + expect(result).not.toBe('ACCESS=my-access-token, ID=my-access-token'); + }); + it('should handle expired tokens correctly', () => { const user: Partial = { id: 'user-123', From 276ac8d011e6cc53a6bbe2a7e94b31f38b9c4071 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 11:21:53 -0500 Subject: [PATCH 22/55] =?UTF-8?q?=F0=9F=9B=B0=EF=B8=8F=20feat:=20Add=20Bed?= =?UTF-8?q?rock=20Parameter=20Settings=20for=20MoonshotAI=20and=20Z.AI=20M?= =?UTF-8?q?odels=20(#11783)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Introduced new model entries for 'moonshotai.kimi' and 'moonshotai.kimi-k2.5' in tokens.ts. - Updated parameterSettings.ts to include configurations for MoonshotAI and ZAI providers. - Enhanced schemas.ts by adding MoonshotAI and ZAI to the BedrockProviders enum for better integration. --- packages/api/src/utils/tokens.ts | 2 ++ packages/data-provider/src/parameterSettings.ts | 7 +++++++ packages/data-provider/src/schemas.ts | 2 ++ 3 files changed, 11 insertions(+) diff --git a/packages/api/src/utils/tokens.ts b/packages/api/src/utils/tokens.ts index 49f1640a7a..53d1ec8059 100644 --- a/packages/api/src/utils/tokens.ts +++ b/packages/api/src/utils/tokens.ts @@ -197,6 +197,8 @@ const moonshotModels = { 'moonshot.kimi-k2.5': 262144, 'moonshot.kimi-k2-thinking': 262144, 'moonshot.kimi-k2-0711': 131072, + 'moonshotai.kimi': 262144, + 'moonshotai.kimi-k2.5': 262144, }; const metaModels = { diff --git a/packages/data-provider/src/parameterSettings.ts b/packages/data-provider/src/parameterSettings.ts index b3baa7fb50..c9f85f9b98 100644 --- a/packages/data-provider/src/parameterSettings.ts +++ b/packages/data-provider/src/parameterSettings.ts @@ -952,6 +952,8 @@ export const paramSettings: Record = [`${EModelEndpoint.bedrock}-${BedrockProviders.Amazon}`]: bedrockGeneral, [`${EModelEndpoint.bedrock}-${BedrockProviders.DeepSeek}`]: bedrockGeneral, [`${EModelEndpoint.bedrock}-${BedrockProviders.Moonshot}`]: bedrockMoonshot, + [`${EModelEndpoint.bedrock}-${BedrockProviders.MoonshotAI}`]: bedrockMoonshot, + [`${EModelEndpoint.bedrock}-${BedrockProviders.ZAI}`]: bedrockGeneral, [EModelEndpoint.google]: googleConfig, }; @@ -1000,6 +1002,11 @@ export const presetSettings: Record< col1: bedrockMoonshotCol1, col2: bedrockMoonshotCol2, }, + [`${EModelEndpoint.bedrock}-${BedrockProviders.MoonshotAI}`]: { + col1: bedrockMoonshotCol1, + col2: bedrockMoonshotCol2, + }, + [`${EModelEndpoint.bedrock}-${BedrockProviders.ZAI}`]: bedrockGeneralColumns, [EModelEndpoint.google]: { col1: googleCol1, col2: googleCol2, diff --git a/packages/data-provider/src/schemas.ts b/packages/data-provider/src/schemas.ts index a429758c19..803d970477 100644 --- a/packages/data-provider/src/schemas.ts +++ b/packages/data-provider/src/schemas.ts @@ -101,7 +101,9 @@ export enum BedrockProviders { Meta = 'meta', MistralAI = 'mistral', Moonshot = 'moonshot', + MoonshotAI = 'moonshotai', StabilityAI = 'stability', + ZAI = 'zai', } export const getModelKey = (endpoint: EModelEndpoint | string, model: string) => { From ccbf9dc09353eda74597809e3b534eda46be018b Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 13:33:25 -0500 Subject: [PATCH 23/55] =?UTF-8?q?=F0=9F=A7=B0=20fix:=20Convert=20`const`?= =?UTF-8?q?=20to=20`enum`=20in=20MCP=20Schemas=20for=20Gemini=20Compatibil?= =?UTF-8?q?ity=20(#11784)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: Convert `const` to `enum` in MCP tool schemas for Gemini/Vertex AI compatibility Gemini/Vertex AI rejects the JSON Schema `const` keyword in function declarations with a 400 error. Previously, the Zod conversion layer accidentally stripped `const`, but after migrating to pass raw JSON schemas directly to providers, the unsupported keyword now reaches Gemini verbatim. Add `normalizeJsonSchema` to recursively convert `const: X` → `enum: [X]`, which is semantically equivalent per the JSON Schema spec and supported by all providers. * fix: Update secure cookie handling in AuthService to use dynamic secure flag Replaced the static `secure: isProduction` with a call to `shouldUseSecureCookie()` in the `setOpenIDAuthTokens` function. This change ensures that the secure cookie setting is evaluated at runtime, improving cookie handling in development environments while maintaining security in production. * refactor: Simplify MCP tool key formatting and remove unused mocks in tests - Updated MCP test suite to replace static tool key formatting with a dynamic delimiter from Constants, enhancing consistency and maintainability. - Removed unused mock implementations for `@langchain/core/tools` and `@librechat/agents`, streamlining the test setup. - Adjusted related test cases to reflect the new tool key format, ensuring all tests remain functional. * chore: import order --- api/server/services/AuthService.js | 2 +- api/server/services/MCP.js | 5 +- api/server/services/MCP.spec.js | 96 +++------- packages/api/src/mcp/__tests__/zod.spec.ts | 195 ++++++++++++++++++++- packages/api/src/mcp/zod.ts | 59 +++++++ packages/api/src/tools/definitions.ts | 9 +- 6 files changed, 287 insertions(+), 79 deletions(-) diff --git a/api/server/services/AuthService.js b/api/server/services/AuthService.js index 1280f9f358..1b4b653c1a 100644 --- a/api/server/services/AuthService.js +++ b/api/server/services/AuthService.js @@ -488,7 +488,7 @@ const setOpenIDAuthTokens = (tokenset, req, res, userId, existingRefreshToken) = res.cookie('openid_id_token', tokenset.id_token, { expires: expirationDate, httpOnly: true, - secure: isProduction, + secure: shouldUseSecureCookie(), sameSite: 'strict', }); } diff --git a/api/server/services/MCP.js b/api/server/services/MCP.js index 8cb9932097..ad1f9f5cc3 100644 --- a/api/server/services/MCP.js +++ b/api/server/services/MCP.js @@ -11,8 +11,9 @@ const { MCPOAuthHandler, isMCPDomainAllowed, normalizeServerName, - resolveJsonSchemaRefs, + normalizeJsonSchema, GenerationJobManager, + resolveJsonSchemaRefs, } = require('@librechat/api'); const { Time, @@ -443,7 +444,7 @@ function createToolInstance({ const { description, parameters } = toolDefinition; const isGoogle = _provider === Providers.VERTEXAI || _provider === Providers.GOOGLE; - let schema = parameters ? resolveJsonSchemaRefs(parameters) : null; + let schema = parameters ? normalizeJsonSchema(resolveJsonSchemaRefs(parameters)) : null; if (!schema || (isGoogle && isEmptyObjectSchema(schema))) { schema = { diff --git a/api/server/services/MCP.spec.js b/api/server/services/MCP.spec.js index 84ec3013dd..b2caebc91e 100644 --- a/api/server/services/MCP.spec.js +++ b/api/server/services/MCP.spec.js @@ -9,30 +9,6 @@ jest.mock('@librechat/data-schemas', () => ({ }, })); -jest.mock('@langchain/core/tools', () => ({ - tool: jest.fn((fn, config) => { - const toolInstance = { _call: fn, ...config }; - return toolInstance; - }), -})); - -jest.mock('@librechat/agents', () => ({ - Providers: { - VERTEXAI: 'vertexai', - GOOGLE: 'google', - }, - StepTypes: { - TOOL_CALLS: 'tool_calls', - }, - GraphEvents: { - ON_RUN_STEP_DELTA: 'on_run_step_delta', - ON_RUN_STEP: 'on_run_step', - }, - Constants: { - CONTENT_AND_ARTIFACT: 'content_and_artifact', - }, -})); - // Create mock registry instance const mockRegistryInstance = { getOAuthServers: jest.fn(() => Promise.resolve(new Set())), @@ -46,26 +22,23 @@ const mockIsMCPDomainAllowed = jest.fn(() => Promise.resolve(true)); const mockGetAppConfig = jest.fn(() => Promise.resolve({})); jest.mock('@librechat/api', () => { - // Access mock via getter to avoid hoisting issues + const actual = jest.requireActual('@librechat/api'); return { - MCPOAuthHandler: { - generateFlowId: jest.fn(), - }, + ...actual, sendEvent: jest.fn(), - normalizeServerName: jest.fn((name) => name), - resolveJsonSchemaRefs: jest.fn((params) => params), get isMCPDomainAllowed() { return mockIsMCPDomainAllowed; }, - MCPServersRegistry: { - getInstance: () => mockRegistryInstance, + GenerationJobManager: { + emitChunk: jest.fn(), }, }; }); const { logger } = require('@librechat/data-schemas'); const { MCPOAuthHandler } = require('@librechat/api'); -const { CacheKeys } = require('librechat-data-provider'); +const { CacheKeys, Constants } = require('librechat-data-provider'); +const D = Constants.mcp_delimiter; const { createMCPTool, createMCPTools, @@ -74,24 +47,6 @@ const { getServerConnectionStatus, } = require('./MCP'); -jest.mock('librechat-data-provider', () => ({ - CacheKeys: { - FLOWS: 'flows', - }, - Constants: { - USE_PRELIM_RESPONSE_MESSAGE_ID: 'prelim_response_id', - mcp_delimiter: '::', - mcp_prefix: 'mcp_', - }, - ContentTypes: { - TEXT: 'text', - }, - isAssistantsEndpoint: jest.fn(() => false), - Time: { - TWO_MINUTES: 120000, - }, -})); - jest.mock('./Config', () => ({ loadCustomConfig: jest.fn(), get getAppConfig() { @@ -132,6 +87,7 @@ describe('tests for the new helper functions used by the MCP connection status e beforeEach(() => { jest.clearAllMocks(); + jest.spyOn(MCPOAuthHandler, 'generateFlowId'); mockGetMCPManager = require('~/config').getMCPManager; mockGetFlowStateManager = require('~/config').getFlowStateManager; @@ -735,7 +691,7 @@ describe('User parameter passing tests', () => { mockReinitMCPServer.mockResolvedValue({ tools: [{ name: 'test-tool' }], availableTools: { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -795,7 +751,7 @@ describe('User parameter passing tests', () => { mockReinitMCPServer.mockResolvedValue({ availableTools: { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -808,7 +764,7 @@ describe('User parameter passing tests', () => { await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', signal: mockSignal, userMCPAuthMap: {}, @@ -830,7 +786,7 @@ describe('User parameter passing tests', () => { const mockRes = { write: jest.fn(), flush: jest.fn() }; const availableTools = { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Cached tool', parameters: { type: 'object', properties: {} }, @@ -841,7 +797,7 @@ describe('User parameter passing tests', () => { await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools: availableTools, @@ -864,8 +820,8 @@ describe('User parameter passing tests', () => { return Promise.resolve({ tools: [{ name: 'tool1' }, { name: 'tool2' }], availableTools: { - 'tool1::server1': { function: { description: 'Tool 1', parameters: {} } }, - 'tool2::server1': { function: { description: 'Tool 2', parameters: {} } }, + [`tool1${D}server1`]: { function: { description: 'Tool 1', parameters: {} } }, + [`tool2${D}server1`]: { function: { description: 'Tool 2', parameters: {} } }, }, }); }); @@ -896,7 +852,7 @@ describe('User parameter passing tests', () => { reinitCalls.push(params); return Promise.resolve({ availableTools: { - 'my-tool::my-server': { + [`my-tool${D}my-server`]: { function: { description: 'My Tool', parameters: {} }, }, }, @@ -906,7 +862,7 @@ describe('User parameter passing tests', () => { await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'my-tool::my-server', + toolKey: `my-tool${D}my-server`, provider: 'google', userMCPAuthMap: {}, availableTools: undefined, // Force reinit @@ -940,11 +896,11 @@ describe('User parameter passing tests', () => { const result = await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools: { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -987,7 +943,7 @@ describe('User parameter passing tests', () => { mockIsMCPDomainAllowed.mockResolvedValueOnce(true); const availableTools = { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -998,7 +954,7 @@ describe('User parameter passing tests', () => { const result = await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools, @@ -1027,7 +983,7 @@ describe('User parameter passing tests', () => { }); const availableTools = { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -1038,7 +994,7 @@ describe('User parameter passing tests', () => { const result = await createMCPTool({ res: mockRes, user: mockUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools, @@ -1104,7 +1060,7 @@ describe('User parameter passing tests', () => { mockIsMCPDomainAllowed.mockResolvedValue(true); const availableTools = { - 'test-tool::test-server': { + [`test-tool${D}test-server`]: { function: { description: 'Test tool', parameters: { type: 'object', properties: {} }, @@ -1116,7 +1072,7 @@ describe('User parameter passing tests', () => { await createMCPTool({ res: mockRes, user: adminUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools, @@ -1130,7 +1086,7 @@ describe('User parameter passing tests', () => { await createMCPTool({ res: mockRes, user: regularUser, - toolKey: 'test-tool::test-server', + toolKey: `test-tool${D}test-server`, provider: 'openai', userMCPAuthMap: {}, availableTools, @@ -1158,7 +1114,7 @@ describe('User parameter passing tests', () => { return Promise.resolve({ tools: [{ name: 'test' }], availableTools: { - 'test::server': { function: { description: 'Test', parameters: {} } }, + [`test${D}server`]: { function: { description: 'Test', parameters: {} } }, }, }); }); diff --git a/packages/api/src/mcp/__tests__/zod.spec.ts b/packages/api/src/mcp/__tests__/zod.spec.ts index 71713389bf..9566ba0def 100644 --- a/packages/api/src/mcp/__tests__/zod.spec.ts +++ b/packages/api/src/mcp/__tests__/zod.spec.ts @@ -2,7 +2,12 @@ // zod.spec.ts import { z } from 'zod'; import type { JsonSchemaType } from '@librechat/data-schemas'; -import { resolveJsonSchemaRefs, convertJsonSchemaToZod, convertWithResolvedRefs } from '../zod'; +import { + convertWithResolvedRefs, + convertJsonSchemaToZod, + resolveJsonSchemaRefs, + normalizeJsonSchema, +} from '../zod'; describe('convertJsonSchemaToZod', () => { describe('integer type handling', () => { @@ -206,7 +211,7 @@ describe('convertJsonSchemaToZod', () => { type: 'number' as const, enum: [1, 2, 3, 5, 8, 13], }; - const zodSchema = convertWithResolvedRefs(schema as JsonSchemaType); + const zodSchema = convertWithResolvedRefs(schema as unknown as JsonSchemaType); expect(zodSchema?.parse(1)).toBe(1); expect(zodSchema?.parse(13)).toBe(13); @@ -2002,3 +2007,189 @@ describe('convertJsonSchemaToZod', () => { }); }); }); + +describe('normalizeJsonSchema', () => { + it('should convert const to enum', () => { + const schema = { type: 'string', const: 'hello' } as any; + const result = normalizeJsonSchema(schema); + expect(result).toEqual({ type: 'string', enum: ['hello'] }); + expect(result).not.toHaveProperty('const'); + }); + + it('should preserve existing enum when const is also present', () => { + const schema = { type: 'string', const: 'hello', enum: ['hello', 'world'] } as any; + const result = normalizeJsonSchema(schema); + expect(result).toEqual({ type: 'string', enum: ['hello', 'world'] }); + expect(result).not.toHaveProperty('const'); + }); + + it('should handle non-string const values (number, boolean, null)', () => { + expect(normalizeJsonSchema({ type: 'number', const: 42 } as any)).toEqual({ + type: 'number', + enum: [42], + }); + expect(normalizeJsonSchema({ type: 'boolean', const: true } as any)).toEqual({ + type: 'boolean', + enum: [true], + }); + expect(normalizeJsonSchema({ type: 'string', const: null } as any)).toEqual({ + type: 'string', + enum: [null], + }); + }); + + it('should recursively normalize nested object properties', () => { + const schema = { + type: 'object', + properties: { + mode: { type: 'string', const: 'advanced' }, + count: { type: 'number', const: 5 }, + name: { type: 'string', description: 'A name' }, + }, + } as any; + + const result = normalizeJsonSchema(schema); + expect(result.properties.mode).toEqual({ type: 'string', enum: ['advanced'] }); + expect(result.properties.count).toEqual({ type: 'number', enum: [5] }); + expect(result.properties.name).toEqual({ type: 'string', description: 'A name' }); + }); + + it('should normalize inside oneOf/anyOf/allOf arrays', () => { + const schema = { + type: 'object', + oneOf: [ + { type: 'object', properties: { kind: { type: 'string', const: 'A' } } }, + { type: 'object', properties: { kind: { type: 'string', const: 'B' } } }, + ], + anyOf: [{ type: 'string', const: 'x' }], + allOf: [{ type: 'number', const: 1 }], + } as any; + + const result = normalizeJsonSchema(schema); + expect(result.oneOf[0].properties.kind).toEqual({ type: 'string', enum: ['A'] }); + expect(result.oneOf[1].properties.kind).toEqual({ type: 'string', enum: ['B'] }); + expect(result.anyOf[0]).toEqual({ type: 'string', enum: ['x'] }); + expect(result.allOf[0]).toEqual({ type: 'number', enum: [1] }); + }); + + it('should normalize array items with const', () => { + const schema = { + type: 'array', + items: { type: 'string', const: 'fixed' }, + } as any; + + const result = normalizeJsonSchema(schema); + expect(result.items).toEqual({ type: 'string', enum: ['fixed'] }); + }); + + it('should normalize additionalProperties with const', () => { + const schema = { + type: 'object', + additionalProperties: { type: 'string', const: 'val' }, + } as any; + + const result = normalizeJsonSchema(schema); + expect(result.additionalProperties).toEqual({ type: 'string', enum: ['val'] }); + }); + + it('should handle null, undefined, and primitive inputs safely', () => { + expect(normalizeJsonSchema(null as any)).toBeNull(); + expect(normalizeJsonSchema(undefined as any)).toBeUndefined(); + expect(normalizeJsonSchema('string' as any)).toBe('string'); + expect(normalizeJsonSchema(42 as any)).toBe(42); + expect(normalizeJsonSchema(true as any)).toBe(true); + }); + + it('should be a no-op when no const is present', () => { + const schema = { + type: 'object', + properties: { + name: { type: 'string', description: 'Name' }, + age: { type: 'number' }, + tags: { type: 'array', items: { type: 'string' } }, + }, + required: ['name'], + } as any; + + const result = normalizeJsonSchema(schema); + expect(result).toEqual(schema); + }); + + it('should handle a Tavily-like schema pattern with const', () => { + const schema = { + type: 'object', + properties: { + query: { + type: 'string', + description: 'The search query', + }, + search_depth: { + type: 'string', + const: 'advanced', + description: 'The depth of the search', + }, + topic: { + type: 'string', + enum: ['general', 'news'], + description: 'The search topic', + }, + include_answer: { + type: 'boolean', + const: true, + }, + max_results: { + type: 'number', + const: 5, + }, + }, + required: ['query'], + } as any; + + const result = normalizeJsonSchema(schema); + + // const fields should be converted to enum + expect(result.properties.search_depth).toEqual({ + type: 'string', + enum: ['advanced'], + description: 'The depth of the search', + }); + expect(result.properties.include_answer).toEqual({ + type: 'boolean', + enum: [true], + }); + expect(result.properties.max_results).toEqual({ + type: 'number', + enum: [5], + }); + + // Existing enum should be preserved + expect(result.properties.topic).toEqual({ + type: 'string', + enum: ['general', 'news'], + description: 'The search topic', + }); + + // Non-const fields should be unchanged + expect(result.properties.query).toEqual({ + type: 'string', + description: 'The search query', + }); + + // Top-level fields preserved + expect(result.required).toEqual(['query']); + expect(result.type).toBe('object'); + }); + + it('should handle arrays at the top level', () => { + const schemas = [ + { type: 'string', const: 'a' }, + { type: 'number', const: 1 }, + ] as any; + + const result = normalizeJsonSchema(schemas); + expect(result).toEqual([ + { type: 'string', enum: ['a'] }, + { type: 'number', enum: [1] }, + ]); + }); +}); diff --git a/packages/api/src/mcp/zod.ts b/packages/api/src/mcp/zod.ts index a218392755..4f6e955ce8 100644 --- a/packages/api/src/mcp/zod.ts +++ b/packages/api/src/mcp/zod.ts @@ -248,6 +248,65 @@ export function resolveJsonSchemaRefs>( return result as T; } +/** + * Recursively normalizes a JSON schema by converting `const` values to `enum` arrays. + * Gemini/Vertex AI does not support the `const` keyword in function declarations, + * but `const: X` is semantically equivalent to `enum: [X]` per the JSON Schema spec. + * + * @param schema - The JSON schema to normalize + * @returns The normalized schema with `const` converted to `enum` + */ +export function normalizeJsonSchema>(schema: T): T { + if (!schema || typeof schema !== 'object') { + return schema; + } + + if (Array.isArray(schema)) { + return schema.map((item) => + item && typeof item === 'object' ? normalizeJsonSchema(item) : item, + ) as unknown as T; + } + + const result: Record = {}; + + for (const [key, value] of Object.entries(schema)) { + if (key === 'const' && !('enum' in schema)) { + result['enum'] = [value]; + continue; + } + + if (key === 'const' && 'enum' in schema) { + // Skip `const` when `enum` already exists + continue; + } + + if (key === 'properties' && value && typeof value === 'object' && !Array.isArray(value)) { + const newProps: Record = {}; + for (const [propKey, propValue] of Object.entries(value as Record)) { + newProps[propKey] = + propValue && typeof propValue === 'object' + ? normalizeJsonSchema(propValue as Record) + : propValue; + } + result[key] = newProps; + } else if ( + (key === 'items' || key === 'additionalProperties') && + value && + typeof value === 'object' + ) { + result[key] = normalizeJsonSchema(value as Record); + } else if ((key === 'oneOf' || key === 'anyOf' || key === 'allOf') && Array.isArray(value)) { + result[key] = value.map((item) => + item && typeof item === 'object' ? normalizeJsonSchema(item) : item, + ); + } else { + result[key] = value; + } + } + + return result as T; +} + /** * Converts a JSON Schema to a Zod schema. * diff --git a/packages/api/src/tools/definitions.ts b/packages/api/src/tools/definitions.ts index 97312883f0..a5b35ac7d8 100644 --- a/packages/api/src/tools/definitions.ts +++ b/packages/api/src/tools/definitions.ts @@ -8,9 +8,10 @@ import { Constants, actionDelimiter } from 'librechat-data-provider'; import type { AgentToolOptions } from 'librechat-data-provider'; import type { LCToolRegistry, JsonSchemaType, LCTool, GenericTool } from '@librechat/agents'; -import { buildToolClassification, type ToolDefinition } from './classification'; +import type { ToolDefinition } from './classification'; +import { resolveJsonSchemaRefs, normalizeJsonSchema } from '~/mcp/zod'; +import { buildToolClassification } from './classification'; import { getToolDefinition } from './registry/definitions'; -import { resolveJsonSchemaRefs } from '~/mcp/zod'; export interface MCPServerTool { function?: { @@ -138,7 +139,7 @@ export async function loadToolDefinitions( name: actualToolName, description: toolDef.function.description, parameters: toolDef.function.parameters - ? resolveJsonSchemaRefs(toolDef.function.parameters) + ? normalizeJsonSchema(resolveJsonSchemaRefs(toolDef.function.parameters)) : undefined, serverName, }); @@ -153,7 +154,7 @@ export async function loadToolDefinitions( name: toolName, description: toolDef.function.description, parameters: toolDef.function.parameters - ? resolveJsonSchemaRefs(toolDef.function.parameters) + ? normalizeJsonSchema(resolveJsonSchemaRefs(toolDef.function.parameters)) : undefined, serverName, }); From e50f59062fa9ab26813c4822bf58bb823cf15e80 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 14:25:26 -0500 Subject: [PATCH 24/55] =?UTF-8?q?=F0=9F=8F=8E=EF=B8=8F=20feat:=20Smart=20R?= =?UTF-8?q?einstall=20with=20Turborepo=20Caching=20for=20Better=20DX=20(#1?= =?UTF-8?q?1785)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: Add Turborepo support and smart reinstall script - Updated .gitignore to include Turborepo cache directory. - Added Turbo as a dependency in package.json and package-lock.json. - Introduced turbo.json configuration for build tasks. - Created smart-reinstall.js script to optimize dependency installation and package builds using Turborepo caching. * fix: Address PR review feedback for smart reinstall - Fix Windows compatibility in hasTurbo() by checking for .cmd/.ps1 shims - Remove Unix-specific shell syntax (> /dev/null 2>&1) from cache clearing - Split try/catch blocks so daemon stop failure doesn't block cache clear - Add actionable tips in error output pointing to --force and --verbose --- .gitignore | 3 + config/smart-reinstall.js | 235 ++++++++++++++++++++++++++++++++++++++ package-lock.json | 103 +++++++++++++++++ package.json | 3 + turbo.json | 33 ++++++ 5 files changed, 377 insertions(+) create mode 100644 config/smart-reinstall.js create mode 100644 turbo.json diff --git a/.gitignore b/.gitignore index d0c87ff03d..86d4a3ddae 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,9 @@ coverage config/translations/stores/* client/src/localization/languages/*_missing_keys.json +# Turborepo +.turbo + # Compiled Dirs (http://nodejs.org/api/addons.html) build/ dist/ diff --git a/config/smart-reinstall.js b/config/smart-reinstall.js new file mode 100644 index 0000000000..18fe689127 --- /dev/null +++ b/config/smart-reinstall.js @@ -0,0 +1,235 @@ +#!/usr/bin/env node +/** + * Smart Reinstall for LibreChat + * + * Combines cached dependency installation with Turborepo-powered builds. + * + * Dependencies (npm ci): + * Hashes package-lock.json and stores a marker in node_modules. + * Skips npm ci entirely when the lockfile hasn't changed. + * + * Package builds (Turborepo): + * Turbo hashes each package's source/config inputs, caches build + * outputs (dist/), and restores from cache when inputs match. + * Turbo v2 uses a global cache (~/.cache/turbo) that survives + * npm ci and is shared across worktrees. + * + * Usage: + * npm run smart-reinstall # Smart cached mode + * npm run smart-reinstall -- --force # Full clean reinstall, bust all caches + * npm run smart-reinstall -- --skip-client # Skip frontend (Vite) build + * npm run smart-reinstall -- --clean-cache # Wipe turbo build cache + * npm run smart-reinstall -- --verbose # Turbo verbose output + */ + +const crypto = require('crypto'); +const fs = require('fs'); +const path = require('path'); +const { execSync } = require('child_process'); + +// Adds console.green, console.purple, etc. +require('./helpers'); + +// ─── Configuration ─────────────────────────────────────────────────────────── + +const ROOT_DIR = path.resolve(__dirname, '..'); +const DEPS_HASH_MARKER = path.join(ROOT_DIR, 'node_modules', '.librechat-deps-hash'); + +const flags = { + force: process.argv.includes('--force'), + cleanCache: process.argv.includes('--clean-cache'), + skipClient: process.argv.includes('--skip-client'), + verbose: process.argv.includes('--verbose'), +}; + +// Workspace directories whose node_modules should be cleaned during reinstall +const NODE_MODULES_DIRS = [ + ROOT_DIR, + path.join(ROOT_DIR, 'packages', 'data-provider'), + path.join(ROOT_DIR, 'packages', 'data-schemas'), + path.join(ROOT_DIR, 'packages', 'client'), + path.join(ROOT_DIR, 'packages', 'api'), + path.join(ROOT_DIR, 'client'), + path.join(ROOT_DIR, 'api'), +]; + +// ─── Helpers ───────────────────────────────────────────────────────────────── + +function hashFile(filePath) { + return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex').slice(0, 16); +} + +function exec(cmd, opts = {}) { + execSync(cmd, { cwd: ROOT_DIR, stdio: 'inherit', ...opts }); +} + +// ─── Dependency Installation ───────────────────────────────────────────────── + +function checkDeps() { + const lockfile = path.join(ROOT_DIR, 'package-lock.json'); + if (!fs.existsSync(lockfile)) { + return { needsInstall: true, hash: 'missing' }; + } + + const hash = hashFile(lockfile); + + if (!fs.existsSync(path.join(ROOT_DIR, 'node_modules'))) { + return { needsInstall: true, hash }; + } + if (!fs.existsSync(DEPS_HASH_MARKER)) { + return { needsInstall: true, hash }; + } + + const stored = fs.readFileSync(DEPS_HASH_MARKER, 'utf-8').trim(); + return { needsInstall: stored !== hash, hash }; +} + +function installDeps(hash) { + const { deleteNodeModules } = require('./helpers'); + NODE_MODULES_DIRS.forEach(deleteNodeModules); + + console.purple('Cleaning npm cache...'); + exec('npm cache clean --force'); + + console.purple('Installing dependencies (npm ci)...'); + exec('npm ci'); + + fs.writeFileSync(DEPS_HASH_MARKER, hash, 'utf-8'); +} + +// ─── Turbo Build ───────────────────────────────────────────────────────────── + +function runTurboBuild() { + const args = ['npx', 'turbo', 'run', 'build']; + + if (flags.skipClient) { + args.push('--filter=!@librechat/frontend'); + } + + if (flags.force) { + args.push('--force'); + } + + if (flags.verbose) { + args.push('--verbosity=2'); + } + + const cmd = args.join(' '); + console.gray(` ${cmd}\n`); + exec(cmd); +} + +/** + * Fallback for when turbo is not installed (e.g., first run before npm ci). + * Runs the same sequential build as the original `npm run frontend`. + */ +function runFallbackBuild() { + console.orange(' turbo not found — using sequential fallback build\n'); + + const scripts = [ + 'build:data-provider', + 'build:data-schemas', + 'build:api', + 'build:client-package', + ]; + + if (!flags.skipClient) { + scripts.push('build:client'); + } + + for (const script of scripts) { + console.purple(` Running ${script}...`); + exec(`npm run ${script}`); + } +} + +function hasTurbo() { + const binDir = path.join(ROOT_DIR, 'node_modules', '.bin'); + return ['turbo', 'turbo.cmd', 'turbo.ps1'].some((name) => fs.existsSync(path.join(binDir, name))); +} + +// ─── Main ──────────────────────────────────────────────────────────────────── + +(async () => { + const startTime = Date.now(); + + console.green('\n Smart Reinstall — LibreChat'); + console.green('─'.repeat(45)); + + // ── Handle --clean-cache ─────────────────────────────────────────────── + if (flags.cleanCache) { + console.purple('Clearing Turborepo cache...'); + if (hasTurbo()) { + try { + exec('npx turbo daemon stop', { stdio: 'pipe' }); + } catch { + // ignore — daemon may not be running + } + } + // Clear local .turbo cache dir + const localTurboCache = path.join(ROOT_DIR, '.turbo'); + if (fs.existsSync(localTurboCache)) { + fs.rmSync(localTurboCache, { recursive: true }); + } + // Clear global turbo cache + if (hasTurbo()) { + try { + exec('npx turbo clean', { stdio: 'pipe' }); + console.green('Turbo cache cleared.'); + } catch { + console.gray('Could not clear global turbo cache (may not exist yet).'); + } + } else { + console.gray('turbo not installed — nothing to clear.'); + } + + if (!flags.force) { + return; + } + } + + // ── Step 1: Dependencies ─────────────────────────────────────────────── + console.purple('\n[1/2] Checking dependencies...'); + + if (flags.force) { + console.orange(' Force mode — reinstalling all dependencies'); + const lockfile = path.join(ROOT_DIR, 'package-lock.json'); + const hash = fs.existsSync(lockfile) ? hashFile(lockfile) : 'none'; + installDeps(hash); + console.green(' Dependencies installed.'); + } else { + const { needsInstall, hash } = checkDeps(); + if (needsInstall) { + console.orange(' package-lock.json changed or node_modules missing'); + installDeps(hash); + console.green(' Dependencies installed.'); + } else { + console.green(' Dependencies up to date — skipping npm ci'); + } + } + + // ── Step 2: Build packages ───────────────────────────────────────────── + console.purple('\n[2/2] Building packages...'); + + if (hasTurbo()) { + runTurboBuild(); + } else { + runFallbackBuild(); + } + + // ── Done ─────────────────────────────────────────────────────────────── + const elapsed = ((Date.now() - startTime) / 1000).toFixed(1); + console.log(''); + console.green('─'.repeat(45)); + console.green(` Done (${elapsed}s)`); + console.green(' Start the app with: npm run backend'); + console.green('─'.repeat(45)); +})().catch((err) => { + console.red(`\nError: ${err.message}`); + if (flags.verbose) { + console.red(err.stack); + } + console.gray(' Tip: run with --force to clean all caches and reinstall from scratch'); + console.gray(' Tip: run with --verbose for detailed output'); + process.exit(1); +}); diff --git a/package-lock.json b/package-lock.json index 29c38184e2..402f4872e6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -40,6 +40,7 @@ "lint-staged": "^15.4.3", "prettier": "^3.5.0", "prettier-plugin-tailwindcss": "^0.6.11", + "turbo": "^2.8.7", "typescript-eslint": "^8.24.0" } }, @@ -39915,6 +39916,108 @@ "dev": true, "license": "MIT" }, + "node_modules/turbo": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo/-/turbo-2.8.7.tgz", + "integrity": "sha512-RBLh5caMAu1kFdTK1jgH2gH/z+jFsvX5rGbhgJ9nlIAWXSvxlzwId05uDlBA1+pBd3wO/UaKYzaQZQBXDd7kcA==", + "dev": true, + "license": "MIT", + "bin": { + "turbo": "bin/turbo" + }, + "optionalDependencies": { + "turbo-darwin-64": "2.8.7", + "turbo-darwin-arm64": "2.8.7", + "turbo-linux-64": "2.8.7", + "turbo-linux-arm64": "2.8.7", + "turbo-windows-64": "2.8.7", + "turbo-windows-arm64": "2.8.7" + } + }, + "node_modules/turbo-darwin-64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-darwin-64/-/turbo-darwin-64-2.8.7.tgz", + "integrity": "sha512-Xr4TO/oDDwoozbDtBvunb66g//WK8uHRygl72vUthuwzmiw48pil4IuoG/QbMHd9RE8aBnVmzC0WZEWk/WWt3A==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/turbo-darwin-arm64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-darwin-arm64/-/turbo-darwin-arm64-2.8.7.tgz", + "integrity": "sha512-p8Xbmb9kZEY/NoshQUcFmQdO80s2PCGoLYj5DbpxjZr3diknipXxzOK7pcmT7l2gNHaMCpFVWLkiFY9nO3EU5w==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/turbo-linux-64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-linux-64/-/turbo-linux-64-2.8.7.tgz", + "integrity": "sha512-nwfEPAH3m5y/nJeYly3j1YJNYU2EG5+2ysZUxvBNM+VBV2LjQaLxB9CsEIpIOKuWKCjnFHKIADTSDPZ3D12J5Q==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/turbo-linux-arm64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-linux-arm64/-/turbo-linux-arm64-2.8.7.tgz", + "integrity": "sha512-mgA/M6xiJzyxtXV70TtWGDPh+I6acOKmeQGtOzbFQZYEf794pu5jax26bCk5skAp1gqZu3vacPr6jhYHoHU9IQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/turbo-windows-64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-windows-64/-/turbo-windows-64-2.8.7.tgz", + "integrity": "sha512-sHTYMaXuCcyHnGUQgfUUt7S8407TWoP14zc/4N2tsM0wZNK6V9h4H2t5jQPtqKEb6Fg8313kygdDgEwuM4vsHg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/turbo-windows-arm64": { + "version": "2.8.7", + "resolved": "https://registry.npmjs.org/turbo-windows-arm64/-/turbo-windows-arm64-2.8.7.tgz", + "integrity": "sha512-WyGiOI2Zp3AhuzVagzQN+T+iq0fWx0oGxDfAWT3ZiLEd4U0cDUkwUZDKVGb3rKqPjDL6lWnuxKKu73ge5xtovQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, "node_modules/type": { "version": "2.7.3", "resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz", diff --git a/package.json b/package.json index 80dea27369..4f15a10e05 100644 --- a/package.json +++ b/package.json @@ -2,6 +2,7 @@ "name": "LibreChat", "version": "v0.8.2", "description": "", + "packageManager": "npm@11.10.0", "workspaces": [ "api", "client", @@ -15,6 +16,7 @@ "user-stats": "node config/user-stats.js", "rebuild:package-lock": "node config/packages", "reinstall": "node config/update.js -l -g", + "smart-reinstall": "node config/smart-reinstall.js", "b:reinstall": "bun config/update.js -b -l -g", "reinstall:docker": "node config/update.js -d -g", "update:local": "node config/update.js -l", @@ -128,6 +130,7 @@ "lint-staged": "^15.4.3", "prettier": "^3.5.0", "prettier-plugin-tailwindcss": "^0.6.11", + "turbo": "^2.8.7", "typescript-eslint": "^8.24.0" }, "overrides": { diff --git a/turbo.json b/turbo.json new file mode 100644 index 0000000000..dbbca31ddb --- /dev/null +++ b/turbo.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://turbo.build/schema.json", + "globalDependencies": ["package-lock.json"], + "tasks": { + "build": { + "dependsOn": ["^build"], + "inputs": [ + "src/**", + "!src/**/__tests__/**", + "!src/**/__mocks__/**", + "!src/**/*.test.*", + "!src/**/*.spec.*", + "scripts/**", + "rollup.config.js", + "server-rollup.config.js", + "tsconfig.json", + "tsconfig.build.json", + "vite.config.ts", + "index.html", + "postcss.config.*", + "tailwind.config.*", + "package.json" + ], + "outputs": ["dist/**"] + }, + "@librechat/data-schemas#build": { + "dependsOn": ["^build", "librechat-data-provider#build"] + }, + "@librechat/api#build": { + "dependsOn": ["^build", "librechat-data-provider#build", "@librechat/data-schemas#build"] + } + } +} From dc489e7b251d76feb5fdc42eea214f9a14a167df Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 14:54:49 -0500 Subject: [PATCH 25/55] =?UTF-8?q?=F0=9F=AA=9F=20fix:=20Tab=20Isolation=20f?= =?UTF-8?q?or=20Agent=20Favorites=20+=20MCP=20Selections=20(#11786)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 refactor: Implement tab-isolated storage for favorites and MCP selections - Replaced `createStorageAtom` with `createTabIsolatedAtom` in favorites store to prevent cross-tab synchronization of favorites. - Introduced `createTabIsolatedStorage` and `createTabIsolatedAtom` in `jotai-utils` to facilitate tab-specific state management. - Updated MCP values atom family to utilize tab-isolated storage, ensuring independent MCP server selections across tabs. * 🔧 fix: Update MCP selection logic to ensure active MCPs are only set when configured servers are available - Modified the condition in `useMCPSelect` to check for both available MCPs and configured servers before setting MCP values. This change prevents potential issues when no servers are configured, enhancing the reliability of MCP selections. --- client/src/hooks/MCP/useMCPSelect.ts | 2 +- client/src/store/favorites.ts | 4 +- client/src/store/jotai-utils.ts | 63 ++++++++++++++++++++++++++++ client/src/store/mcp.ts | 10 ++++- 4 files changed, 75 insertions(+), 4 deletions(-) diff --git a/client/src/hooks/MCP/useMCPSelect.ts b/client/src/hooks/MCP/useMCPSelect.ts index ec9dfe0bbb..e0118b8be1 100644 --- a/client/src/hooks/MCP/useMCPSelect.ts +++ b/client/src/hooks/MCP/useMCPSelect.ts @@ -28,7 +28,7 @@ export function useMCPSelect({ const mcps = ephemeralAgent?.mcp ?? []; if (mcps.length === 1 && mcps[0] === Constants.mcp_clear) { setMCPValuesRaw([]); - } else if (mcps.length > 0) { + } else if (mcps.length > 0 && configuredServers.size > 0) { // Strip out servers that are not available in the startup config const activeMcps = mcps.filter((mcp) => configuredServers.has(mcp)); setMCPValuesRaw(activeMcps); diff --git a/client/src/store/favorites.ts b/client/src/store/favorites.ts index b3744f52b0..9065f1ca4e 100644 --- a/client/src/store/favorites.ts +++ b/client/src/store/favorites.ts @@ -1,4 +1,4 @@ -import { createStorageAtom } from './jotai-utils'; +import { createTabIsolatedAtom } from './jotai-utils'; export type Favorite = { agentId?: string; @@ -16,4 +16,4 @@ export type FavoritesState = Favorite[]; /** * This atom stores the user's favorite models/agents */ -export const favoritesAtom = createStorageAtom('favorites', []); +export const favoritesAtom = createTabIsolatedAtom('favorites', []); diff --git a/client/src/store/jotai-utils.ts b/client/src/store/jotai-utils.ts index d3ca9d817c..5d2769d7e9 100644 --- a/client/src/store/jotai-utils.ts +++ b/client/src/store/jotai-utils.ts @@ -1,5 +1,6 @@ import { atom } from 'jotai'; import { atomWithStorage } from 'jotai/utils'; +import type { SyncStorage } from 'jotai/vanilla/utils/atomWithStorage'; /** * Create a simple atom with localStorage persistence @@ -42,6 +43,68 @@ export function createStorageAtomWithEffect( ); } +/** + * Create a SyncStorage adapter that reads/writes to localStorage but does NOT + * subscribe to browser `storage` events. This prevents cross-tab synchronization + * for atoms where each tab should maintain independent state. + * + * Use this for atoms that represent per-tab working state (e.g., favorites toggle, + * MCP server selections) rather than user preferences. + */ +export function createTabIsolatedStorage(): SyncStorage { + return { + getItem(key: string, initialValue: Value): Value { + if (typeof window === 'undefined') { + return initialValue; + } + try { + const stored = localStorage.getItem(key); + if (stored === null) { + return initialValue; + } + return JSON.parse(stored) as Value; + } catch { + return initialValue; + } + }, + setItem(key: string, newValue: Value): void { + if (typeof window === 'undefined') { + return; + } + try { + localStorage.setItem(key, JSON.stringify(newValue)); + } catch { + // quota exceeded or other write error — silently ignore + } + }, + removeItem(key: string): void { + if (typeof window === 'undefined') { + return; + } + try { + localStorage.removeItem(key); + } catch { + // silently ignore + } + }, + // subscribe intentionally omitted — prevents cross-tab sync via storage events + }; +} + +/** + * Create an atom with localStorage persistence that does NOT sync across tabs. + * Parallels `createStorageAtom` but uses tab-isolated storage. + * + * @param key - localStorage key + * @param defaultValue - default value if no saved value exists + * @returns Jotai atom with localStorage persistence, isolated per tab + */ +export function createTabIsolatedAtom(key: string, defaultValue: T) { + return atomWithStorage(key, defaultValue, createTabIsolatedStorage(), { + getOnInit: true, + }); +} + /** * Initialize a value from localStorage and optionally apply it * Useful for applying saved values on app startup (e.g., theme, fontSize) diff --git a/client/src/store/mcp.ts b/client/src/store/mcp.ts index e540b167e4..793e1cebd0 100644 --- a/client/src/store/mcp.ts +++ b/client/src/store/mcp.ts @@ -1,6 +1,14 @@ import { atom } from 'jotai'; import { atomFamily, atomWithStorage } from 'jotai/utils'; import { Constants, LocalStorageKeys } from 'librechat-data-provider'; +import { createTabIsolatedStorage } from './jotai-utils'; + +/** + * Tab-isolated storage for MCP values — prevents cross-tab sync so that + * each tab's MCP server selections are independent (especially for new chats + * which all share the same `LAST_MCP_new` localStorage key). + */ +const mcpTabIsolatedStorage = createTabIsolatedStorage(); /** * Creates a storage atom for MCP values per conversation @@ -10,7 +18,7 @@ export const mcpValuesAtomFamily = atomFamily((conversationId: string | null) => const key = conversationId ?? Constants.NEW_CONVO; const storageKey = `${LocalStorageKeys.LAST_MCP_}${key}`; - return atomWithStorage(storageKey, [], undefined, { getOnInit: true }); + return atomWithStorage(storageKey, [], mcpTabIsolatedStorage, { getOnInit: true }); }); /** From 6cc6ee3207acbf9be4017d0c9a20d79e5195effc Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 22:46:14 -0500 Subject: [PATCH 26/55] =?UTF-8?q?=F0=9F=93=B3=20refactor:=20Optimize=20Mod?= =?UTF-8?q?el=20Selector=20(#11787)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Introduced a new `EndpointMenuContent` component to lazily render endpoint submenu content, improving performance by deferring expensive model-list rendering until the submenu is mounted. - Refactored `EndpointItem` to utilize the new component, simplifying the code and enhancing readability. - Removed redundant filtering logic and model specifications handling from `EndpointItem`, centralizing it within `EndpointMenuContent` for better maintainability. --- .../Endpoints/components/EndpointItem.tsx | 128 ++++++++++-------- 1 file changed, 69 insertions(+), 59 deletions(-) diff --git a/client/src/components/Chat/Menus/Endpoints/components/EndpointItem.tsx b/client/src/components/Chat/Menus/Endpoints/components/EndpointItem.tsx index 27c1236cb2..6f73f76d79 100644 --- a/client/src/components/Chat/Menus/Endpoints/components/EndpointItem.tsx +++ b/client/src/components/Chat/Menus/Endpoints/components/EndpointItem.tsx @@ -80,12 +80,76 @@ const SettingsButton = ({ ); }; +/** + * Lazily-rendered content for an endpoint submenu. By extracting this into a + * separate component, the expensive model-list rendering (and per-item hooks + * such as MutationObservers in EndpointModelItem) only runs when the submenu + * is actually mounted — which Ariakit defers via `unmountOnHide`. + */ +function EndpointMenuContent({ + endpoint, + endpointIndex, +}: { + endpoint: Endpoint; + endpointIndex: number; +}) { + const localize = useLocalize(); + const { agentsMap, assistantsMap, modelSpecs, selectedValues, endpointSearchValues } = + useModelSelectorContext(); + const { model: selectedModel, modelSpec: selectedSpec } = selectedValues; + const searchValue = endpointSearchValues[endpoint.value] || ''; + + const endpointSpecs = useMemo(() => { + if (!modelSpecs || !modelSpecs.length) { + return []; + } + return modelSpecs.filter((spec: TModelSpec) => spec.group === endpoint.value); + }, [modelSpecs, endpoint.value]); + + if (isAssistantsEndpoint(endpoint.value) && endpoint.models === undefined) { + return ( +
+
+ ); + } + + const filteredModels = searchValue + ? filterModels( + endpoint, + (endpoint.models || []).map((model) => model.name), + searchValue, + agentsMap, + assistantsMap, + ) + : null; + + return ( + <> + {endpointSpecs.map((spec: TModelSpec) => ( + + ))} + {filteredModels + ? renderEndpointModels( + endpoint, + endpoint.models || [], + selectedModel, + filteredModels, + endpointIndex, + ) + : endpoint.models && + renderEndpointModels(endpoint, endpoint.models, selectedModel, undefined, endpointIndex)} + + ); +} + export function EndpointItem({ endpoint, endpointIndex }: EndpointItemProps) { const localize = useLocalize(); const { - agentsMap, - assistantsMap, - modelSpecs, selectedValues, handleOpenKeyDialog, handleSelectEndpoint, @@ -93,19 +157,7 @@ export function EndpointItem({ endpoint, endpointIndex }: EndpointItemProps) { setEndpointSearchValue, endpointRequiresUserKey, } = useModelSelectorContext(); - const { - model: selectedModel, - endpoint: selectedEndpoint, - modelSpec: selectedSpec, - } = selectedValues; - - // Filter modelSpecs for this endpoint (by group matching endpoint value) - const endpointSpecs = useMemo(() => { - if (!modelSpecs || !modelSpecs.length) { - return []; - } - return modelSpecs.filter((spec: TModelSpec) => spec.group === endpoint.value); - }, [modelSpecs, endpoint.value]); + const { endpoint: selectedEndpoint } = selectedValues; const searchValue = endpointSearchValues[endpoint.value] || ''; const isUserProvided = useMemo( @@ -130,15 +182,6 @@ export function EndpointItem({ endpoint, endpointIndex }: EndpointItemProps) { const isEndpointSelected = selectedEndpoint === endpoint.value; if (endpoint.hasModels) { - const filteredModels = searchValue - ? filterModels( - endpoint, - (endpoint.models || []).map((model) => model.name), - searchValue, - agentsMap, - assistantsMap, - ) - : null; const placeholder = isAgentsEndpoint(endpoint.value) || isAssistantsEndpoint(endpoint.value) ? localize('com_endpoint_search_var', { 0: endpoint.label }) @@ -147,7 +190,6 @@ export function EndpointItem({ endpoint, endpointIndex }: EndpointItemProps) { setEndpointSearchValue(endpoint.value, value)} combobox={} @@ -170,39 +212,7 @@ export function EndpointItem({ endpoint, endpointIndex }: EndpointItemProps) {
} > - {isAssistantsEndpoint(endpoint.value) && endpoint.models === undefined ? ( -
-
- ) : ( - <> - {/* Render modelSpecs for this endpoint */} - {endpointSpecs.map((spec: TModelSpec) => ( - - ))} - {/* Render endpoint models */} - {filteredModels - ? renderEndpointModels( - endpoint, - endpoint.models || [], - selectedModel, - filteredModels, - endpointIndex, - ) - : endpoint.models && - renderEndpointModels( - endpoint, - endpoint.models, - selectedModel, - undefined, - endpointIndex, - )} - - )} + ); } else { From 467df0f07a1cb04987d86a662789fa276347886e Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 23:04:51 -0500 Subject: [PATCH 27/55] =?UTF-8?q?=F0=9F=8E=AD=20feat:=20Override=20Custom?= =?UTF-8?q?=20Endpoint=20Schema=20with=20Specified=20Params=20Endpoint=20(?= =?UTF-8?q?#11788)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 refactor: Simplify payload parsing and enhance getSaveOptions logic - Removed unused bedrockInputSchema from payloadParser, streamlining the function. - Updated payloadParser to handle optional chaining for model parameters. - Enhanced getSaveOptions to ensure runOptions defaults to an empty object if parsing fails, improving robustness. - Adjusted the assignment of maxContextTokens to use the instance variable for consistency. * 🔧 fix: Update maxContextTokens assignment logic in initializeAgent function - Enhanced the maxContextTokens assignment to allow for user-defined values, ensuring it defaults to a calculated value only when not provided or invalid. This change improves flexibility in agent initialization. * 🧪 test: Add unit tests for initializeAgent function - Introduced comprehensive unit tests for the initializeAgent function, focusing on maxContextTokens behavior. - Tests cover scenarios for user-defined values, fallback calculations, and edge cases such as zero and negative values, enhancing overall test coverage and reliability of agent initialization logic. * refactor: default params Endpoint Configuration Handling - Integrated `getEndpointsConfig` to fetch endpoint configurations, allowing for dynamic handling of `defaultParamsEndpoint`. - Updated `buildEndpointOption` to pass `defaultParamsEndpoint` to `parseCompactConvo`, ensuring correct parameter handling based on endpoint type. - Added comprehensive unit tests for `buildDefaultConvo` and `cleanupPreset` to validate behavior with `defaultParamsEndpoint`, covering various scenarios and edge cases. - Refactored related hooks and utility functions to support the new configuration structure, improving overall flexibility and maintainability. * refactor: Centralize defaultParamsEndpoint retrieval - Introduced `getDefaultParamsEndpoint` function to streamline the retrieval of `defaultParamsEndpoint` across various hooks and middleware. - Updated multiple files to utilize the new function, enhancing code consistency and maintainability. - Removed redundant logic for fetching `defaultParamsEndpoint`, simplifying the codebase. --- api/server/controllers/agents/client.js | 26 +- api/server/middleware/buildEndpointOption.js | 20 +- .../middleware/buildEndpointOption.spec.js | 237 +++++++++++++++ client/src/hooks/Chat/useAddedResponse.ts | 9 +- client/src/hooks/Chat/useChatFunctions.ts | 3 + .../hooks/Conversations/useDefaultConvo.ts | 5 +- .../hooks/Conversations/useGenerateConvo.ts | 9 +- .../Conversations/useNavigateToConvo.tsx | 10 +- client/src/hooks/useNewConvo.ts | 3 + .../utils/__tests__/buildDefaultConvo.test.ts | 202 +++++++++++++ .../cleanupPreset.integration.test.ts | 119 ++++++++ .../src/utils/__tests__/cleanupPreset.test.ts | 42 ++- client/src/utils/buildDefaultConvo.ts | 3 + client/src/utils/cleanupPreset.ts | 12 +- .../src/agents/__tests__/initialize.test.ts | 284 ++++++++++++++++++ packages/api/src/agents/initialize.ts | 5 +- packages/data-provider/specs/parsers.spec.ts | 253 +++++++++++++++- packages/data-provider/src/config.ts | 11 + packages/data-provider/src/parsers.ts | 26 +- 19 files changed, 1234 insertions(+), 45 deletions(-) create mode 100644 api/server/middleware/buildEndpointOption.spec.js create mode 100644 client/src/utils/__tests__/buildDefaultConvo.test.ts create mode 100644 client/src/utils/__tests__/cleanupPreset.integration.test.ts create mode 100644 packages/api/src/agents/__tests__/initialize.test.ts diff --git a/api/server/controllers/agents/client.js b/api/server/controllers/agents/client.js index 8edbd28122..8e8a993a5d 100644 --- a/api/server/controllers/agents/client.js +++ b/api/server/controllers/agents/client.js @@ -39,7 +39,6 @@ const { PermissionTypes, isAgentsEndpoint, isEphemeralAgentId, - bedrockInputSchema, removeNullishValues, } = require('librechat-data-provider'); const { spendTokens, spendStructuredTokens } = require('~/models/spendTokens'); @@ -69,17 +68,11 @@ const omitTitleOptions = new Set([ * @param {Agent} agent * @param {string} endpoint */ -const payloadParser = ({ req, agent, endpoint }) => { +const payloadParser = ({ req, endpoint }) => { if (isAgentsEndpoint(endpoint)) { - return { model: undefined }; - } else if (endpoint === EModelEndpoint.bedrock) { - const parsedValues = bedrockInputSchema.parse(agent.model_parameters); - if (parsedValues.thinking == null) { - parsedValues.thinking = false; - } - return parsedValues; + return; } - return req.body.endpointOption.model_parameters; + return req.body?.endpointOption?.model_parameters; }; function createTokenCounter(encoding) { @@ -296,14 +289,9 @@ class AgentClient extends BaseClient { checkVisionRequest() {} getSaveOptions() { - // TODO: - // would need to be override settings; otherwise, model needs to be undefined - // model: this.override.model, - // instructions: this.override.instructions, - // additional_instructions: this.override.additional_instructions, let runOptions = {}; try { - runOptions = payloadParser(this.options); + runOptions = payloadParser(this.options) ?? {}; } catch (error) { logger.error( '[api/server/controllers/agents/client.js #getSaveOptions] Error parsing options', @@ -314,14 +302,14 @@ class AgentClient extends BaseClient { return removeNullishValues( Object.assign( { + spec: this.options.spec, + iconURL: this.options.iconURL, endpoint: this.options.endpoint, agent_id: this.options.agent.id, modelLabel: this.options.modelLabel, - maxContextTokens: this.options.maxContextTokens, resendFiles: this.options.resendFiles, imageDetail: this.options.imageDetail, - spec: this.options.spec, - iconURL: this.options.iconURL, + maxContextTokens: this.maxContextTokens, }, // TODO: PARSE OPTIONS BY PROVIDER, MAY CONTAIN SENSITIVE DATA runOptions, diff --git a/api/server/middleware/buildEndpointOption.js b/api/server/middleware/buildEndpointOption.js index f56d850120..64ed8e7466 100644 --- a/api/server/middleware/buildEndpointOption.js +++ b/api/server/middleware/buildEndpointOption.js @@ -5,9 +5,11 @@ const { EModelEndpoint, isAgentsEndpoint, parseCompactConvo, + getDefaultParamsEndpoint, } = require('librechat-data-provider'); const azureAssistants = require('~/server/services/Endpoints/azureAssistants'); const assistants = require('~/server/services/Endpoints/assistants'); +const { getEndpointsConfig } = require('~/server/services/Config'); const agents = require('~/server/services/Endpoints/agents'); const { updateFilesUsage } = require('~/models'); @@ -19,9 +21,24 @@ const buildFunction = { async function buildEndpointOption(req, res, next) { const { endpoint, endpointType } = req.body; + + let endpointsConfig; + try { + endpointsConfig = await getEndpointsConfig(req); + } catch (error) { + logger.error('Error fetching endpoints config in buildEndpointOption', error); + } + + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, endpoint); + let parsedBody; try { - parsedBody = parseCompactConvo({ endpoint, endpointType, conversation: req.body }); + parsedBody = parseCompactConvo({ + endpoint, + endpointType, + conversation: req.body, + defaultParamsEndpoint, + }); } catch (error) { logger.error(`Error parsing compact conversation for endpoint ${endpoint}`, error); logger.debug({ @@ -55,6 +72,7 @@ async function buildEndpointOption(req, res, next) { endpoint, endpointType, conversation: currentModelSpec.preset, + defaultParamsEndpoint, }); if (currentModelSpec.iconURL != null && currentModelSpec.iconURL !== '') { parsedBody.iconURL = currentModelSpec.iconURL; diff --git a/api/server/middleware/buildEndpointOption.spec.js b/api/server/middleware/buildEndpointOption.spec.js new file mode 100644 index 0000000000..eab5e2666b --- /dev/null +++ b/api/server/middleware/buildEndpointOption.spec.js @@ -0,0 +1,237 @@ +/** + * Wrap parseCompactConvo: the REAL function runs, but jest can observe + * calls and return values. Must be declared before require('./buildEndpointOption') + * so the destructured reference in the middleware captures the wrapper. + */ +jest.mock('librechat-data-provider', () => { + const actual = jest.requireActual('librechat-data-provider'); + return { + ...actual, + parseCompactConvo: jest.fn((...args) => actual.parseCompactConvo(...args)), + }; +}); + +const { EModelEndpoint, parseCompactConvo } = require('librechat-data-provider'); + +const mockBuildOptions = jest.fn((_endpoint, parsedBody) => ({ + ...parsedBody, + endpoint: _endpoint, +})); + +jest.mock('~/server/services/Endpoints/azureAssistants', () => ({ + buildOptions: mockBuildOptions, +})); +jest.mock('~/server/services/Endpoints/assistants', () => ({ + buildOptions: mockBuildOptions, +})); +jest.mock('~/server/services/Endpoints/agents', () => ({ + buildOptions: mockBuildOptions, +})); + +jest.mock('~/models', () => ({ + updateFilesUsage: jest.fn(), +})); + +const mockGetEndpointsConfig = jest.fn(); +jest.mock('~/server/services/Config', () => ({ + getEndpointsConfig: (...args) => mockGetEndpointsConfig(...args), +})); + +jest.mock('@librechat/api', () => ({ + handleError: jest.fn(), +})); + +const buildEndpointOption = require('./buildEndpointOption'); + +const createReq = (body, config = {}) => ({ + body, + config, + baseUrl: '/api/chat', +}); + +const createRes = () => ({ + status: jest.fn().mockReturnThis(), + json: jest.fn().mockReturnThis(), +}); + +describe('buildEndpointOption - defaultParamsEndpoint parsing', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('should pass defaultParamsEndpoint to parseCompactConvo and preserve maxOutputTokens', async () => { + mockGetEndpointsConfig.mockResolvedValue({ + AnthropicClaude: { + type: EModelEndpoint.custom, + customParams: { + defaultParamsEndpoint: EModelEndpoint.anthropic, + }, + }, + }); + + const req = createReq( + { + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + maxContextTokens: 50000, + }, + { modelSpecs: null }, + ); + + await buildEndpointOption(req, createRes(), jest.fn()); + + expect(parseCompactConvo).toHaveBeenCalledWith( + expect.objectContaining({ + defaultParamsEndpoint: EModelEndpoint.anthropic, + }), + ); + + const parsedResult = parseCompactConvo.mock.results[0].value; + expect(parsedResult.maxOutputTokens).toBe(8192); + expect(parsedResult.topP).toBe(0.9); + expect(parsedResult.temperature).toBe(0.7); + expect(parsedResult.maxContextTokens).toBe(50000); + }); + + it('should strip maxOutputTokens when no defaultParamsEndpoint is configured', async () => { + mockGetEndpointsConfig.mockResolvedValue({ + MyOpenRouter: { + type: EModelEndpoint.custom, + }, + }); + + const req = createReq( + { + endpoint: 'MyOpenRouter', + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + maxOutputTokens: 8192, + max_tokens: 4096, + }, + { modelSpecs: null }, + ); + + await buildEndpointOption(req, createRes(), jest.fn()); + + expect(parseCompactConvo).toHaveBeenCalledWith( + expect.objectContaining({ + defaultParamsEndpoint: undefined, + }), + ); + + const parsedResult = parseCompactConvo.mock.results[0].value; + expect(parsedResult.maxOutputTokens).toBeUndefined(); + expect(parsedResult.max_tokens).toBe(4096); + expect(parsedResult.temperature).toBe(0.7); + }); + + it('should strip bedrock region from custom endpoint without defaultParamsEndpoint', async () => { + mockGetEndpointsConfig.mockResolvedValue({ + MyEndpoint: { + type: EModelEndpoint.custom, + }, + }); + + const req = createReq( + { + endpoint: 'MyEndpoint', + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + region: 'us-east-1', + }, + { modelSpecs: null }, + ); + + await buildEndpointOption(req, createRes(), jest.fn()); + + const parsedResult = parseCompactConvo.mock.results[0].value; + expect(parsedResult.region).toBeUndefined(); + expect(parsedResult.temperature).toBe(0.7); + }); + + it('should pass defaultParamsEndpoint when re-parsing enforced model spec', async () => { + mockGetEndpointsConfig.mockResolvedValue({ + AnthropicClaude: { + type: EModelEndpoint.custom, + customParams: { + defaultParamsEndpoint: EModelEndpoint.anthropic, + }, + }, + }); + + const modelSpec = { + name: 'claude-opus-4.5', + preset: { + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + maxContextTokens: 50000, + }, + }; + + const req = createReq( + { + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + spec: 'claude-opus-4.5', + model: 'anthropic/claude-opus-4.5', + }, + { + modelSpecs: { + enforce: true, + list: [modelSpec], + }, + }, + ); + + await buildEndpointOption(req, createRes(), jest.fn()); + + const enforcedCall = parseCompactConvo.mock.calls[1]; + expect(enforcedCall[0]).toEqual( + expect.objectContaining({ + defaultParamsEndpoint: EModelEndpoint.anthropic, + }), + ); + + const enforcedResult = parseCompactConvo.mock.results[1].value; + expect(enforcedResult.maxOutputTokens).toBe(8192); + expect(enforcedResult.temperature).toBe(0.7); + expect(enforcedResult.maxContextTokens).toBe(50000); + }); + + it('should fall back to OpenAI schema when getEndpointsConfig fails', async () => { + mockGetEndpointsConfig.mockRejectedValue(new Error('Config unavailable')); + + const req = createReq( + { + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + max_tokens: 4096, + }, + { modelSpecs: null }, + ); + + await buildEndpointOption(req, createRes(), jest.fn()); + + expect(parseCompactConvo).toHaveBeenCalledWith( + expect.objectContaining({ + defaultParamsEndpoint: undefined, + }), + ); + + const parsedResult = parseCompactConvo.mock.results[0].value; + expect(parsedResult.maxOutputTokens).toBeUndefined(); + expect(parsedResult.max_tokens).toBe(4096); + }); +}); diff --git a/client/src/hooks/Chat/useAddedResponse.ts b/client/src/hooks/Chat/useAddedResponse.ts index c01cef0c69..fe35e4e56e 100644 --- a/client/src/hooks/Chat/useAddedResponse.ts +++ b/client/src/hooks/Chat/useAddedResponse.ts @@ -1,7 +1,12 @@ import { useCallback } from 'react'; import { useRecoilValue } from 'recoil'; import { useGetModelsQuery } from 'librechat-data-provider/react-query'; -import { getEndpointField, LocalStorageKeys, isAssistantsEndpoint } from 'librechat-data-provider'; +import { + getEndpointField, + LocalStorageKeys, + isAssistantsEndpoint, + getDefaultParamsEndpoint, +} from 'librechat-data-provider'; import type { TEndpointsConfig, EModelEndpoint, TConversation } from 'librechat-data-provider'; import type { AssistantListItem, NewConversationParams } from '~/common'; import useAssistantListMap from '~/hooks/Assistants/useAssistantListMap'; @@ -84,11 +89,13 @@ export default function useAddedResponse() { } const models = modelsConfig?.[defaultEndpoint ?? ''] ?? []; + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, defaultEndpoint); newConversation = buildDefaultConvo({ conversation: newConversation, lastConversationSetup: preset as TConversation, endpoint: defaultEndpoint ?? ('' as EModelEndpoint), models, + defaultParamsEndpoint, }); if (preset?.title != null && preset.title !== '') { diff --git a/client/src/hooks/Chat/useChatFunctions.ts b/client/src/hooks/Chat/useChatFunctions.ts index 8479d8eaac..30465fc2e5 100644 --- a/client/src/hooks/Chat/useChatFunctions.ts +++ b/client/src/hooks/Chat/useChatFunctions.ts @@ -13,6 +13,7 @@ import { parseCompactConvo, replaceSpecialVars, isAssistantsEndpoint, + getDefaultParamsEndpoint, } from 'librechat-data-provider'; import type { TMessage, @@ -173,12 +174,14 @@ export default function useChatFunctions({ const startupConfig = queryClient.getQueryData([QueryKeys.startupConfig]); const endpointType = getEndpointField(endpointsConfig, endpoint, 'type'); const iconURL = conversation?.iconURL; + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, endpoint); /** This becomes part of the `endpointOption` */ const convo = parseCompactConvo({ endpoint: endpoint as EndpointSchemaKey, endpointType: endpointType as EndpointSchemaKey, conversation: conversation ?? {}, + defaultParamsEndpoint, }); const { modelDisplayLabel } = endpointsConfig?.[endpoint ?? ''] ?? {}; diff --git a/client/src/hooks/Conversations/useDefaultConvo.ts b/client/src/hooks/Conversations/useDefaultConvo.ts index bfca39d3e0..67a40ce64e 100644 --- a/client/src/hooks/Conversations/useDefaultConvo.ts +++ b/client/src/hooks/Conversations/useDefaultConvo.ts @@ -1,5 +1,5 @@ -import { excludedKeys } from 'librechat-data-provider'; import { useGetModelsQuery } from 'librechat-data-provider/react-query'; +import { excludedKeys, getDefaultParamsEndpoint } from 'librechat-data-provider'; import type { TEndpointsConfig, TModelsConfig, @@ -47,11 +47,14 @@ const useDefaultConvo = () => { } } + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, endpoint); + const defaultConvo = buildDefaultConvo({ conversation: conversation as TConversation, endpoint, lastConversationSetup: preset as TConversation, models, + defaultParamsEndpoint, }); if (!cleanOutput) { diff --git a/client/src/hooks/Conversations/useGenerateConvo.ts b/client/src/hooks/Conversations/useGenerateConvo.ts index d96f60e05d..abe3215753 100644 --- a/client/src/hooks/Conversations/useGenerateConvo.ts +++ b/client/src/hooks/Conversations/useGenerateConvo.ts @@ -1,7 +1,12 @@ import { useRecoilValue } from 'recoil'; import { useCallback, useRef, useEffect } from 'react'; import { useGetModelsQuery } from 'librechat-data-provider/react-query'; -import { getEndpointField, LocalStorageKeys, isAssistantsEndpoint } from 'librechat-data-provider'; +import { + getEndpointField, + LocalStorageKeys, + isAssistantsEndpoint, + getDefaultParamsEndpoint, +} from 'librechat-data-provider'; import type { TEndpointsConfig, EModelEndpoint, @@ -117,11 +122,13 @@ const useGenerateConvo = ({ } const models = modelsConfig?.[defaultEndpoint ?? ''] ?? []; + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, defaultEndpoint); conversation = buildDefaultConvo({ conversation, lastConversationSetup: preset as TConversation, endpoint: defaultEndpoint ?? ('' as EModelEndpoint), models, + defaultParamsEndpoint, }); if (preset?.title != null && preset.title !== '') { diff --git a/client/src/hooks/Conversations/useNavigateToConvo.tsx b/client/src/hooks/Conversations/useNavigateToConvo.tsx index 114b70c6ef..b9d188eaf0 100644 --- a/client/src/hooks/Conversations/useNavigateToConvo.tsx +++ b/client/src/hooks/Conversations/useNavigateToConvo.tsx @@ -2,7 +2,13 @@ import { useCallback } from 'react'; import { useSetRecoilState } from 'recoil'; import { useNavigate } from 'react-router-dom'; import { useQueryClient } from '@tanstack/react-query'; -import { QueryKeys, Constants, dataService, getEndpointField } from 'librechat-data-provider'; +import { + QueryKeys, + Constants, + dataService, + getEndpointField, + getDefaultParamsEndpoint, +} from 'librechat-data-provider'; import type { TEndpointsConfig, TStartupConfig, @@ -106,11 +112,13 @@ const useNavigateToConvo = (index = 0) => { const models = modelsConfig?.[defaultEndpoint ?? ''] ?? []; + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, defaultEndpoint); convo = buildDefaultConvo({ models, conversation, endpoint: defaultEndpoint, lastConversationSetup: conversation, + defaultParamsEndpoint, }); } clearAllConversations(true); diff --git a/client/src/hooks/useNewConvo.ts b/client/src/hooks/useNewConvo.ts index c468ab30a2..7fa499f40d 100644 --- a/client/src/hooks/useNewConvo.ts +++ b/client/src/hooks/useNewConvo.ts @@ -14,6 +14,7 @@ import { LocalStorageKeys, isEphemeralAgentId, isAssistantsEndpoint, + getDefaultParamsEndpoint, } from 'librechat-data-provider'; import type { TPreset, @@ -191,11 +192,13 @@ const useNewConvo = (index = 0) => { } const models = modelsConfig?.[defaultEndpoint] ?? []; + const defaultParamsEndpoint = getDefaultParamsEndpoint(endpointsConfig, defaultEndpoint); conversation = buildDefaultConvo({ conversation, lastConversationSetup: activePreset as TConversation, endpoint: defaultEndpoint, models, + defaultParamsEndpoint, }); } diff --git a/client/src/utils/__tests__/buildDefaultConvo.test.ts b/client/src/utils/__tests__/buildDefaultConvo.test.ts new file mode 100644 index 0000000000..00a4d6313b --- /dev/null +++ b/client/src/utils/__tests__/buildDefaultConvo.test.ts @@ -0,0 +1,202 @@ +import { EModelEndpoint } from 'librechat-data-provider'; +import type { TConversation } from 'librechat-data-provider'; +import buildDefaultConvo from '../buildDefaultConvo'; + +jest.mock('../localStorage', () => ({ + getLocalStorageItems: jest.fn(() => ({ + lastSelectedModel: {}, + lastSelectedTools: [], + lastConversationSetup: {}, + })), +})); + +const baseConversation: TConversation = { + conversationId: 'test-convo-id', + title: 'Test Conversation', + createdAt: '2024-01-01T00:00:00Z', + updatedAt: '2024-01-01T00:00:00Z', + endpoint: null, +}; + +describe('buildDefaultConvo - defaultParamsEndpoint', () => { + describe('custom endpoint with defaultParamsEndpoint: anthropic', () => { + const models = ['anthropic/claude-opus-4.5', 'anthropic/claude-sonnet-4']; + + it('should preserve maxOutputTokens from model spec preset', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + maxContextTokens: 50000, + }; + + const result = buildDefaultConvo({ + models, + conversation: baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + lastConversationSetup: preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result.maxOutputTokens).toBe(8192); + expect(result.topP).toBe(0.9); + expect(result.temperature).toBe(0.7); + expect(result.maxContextTokens).toBe(50000); + expect(result.model).toBe('anthropic/claude-opus-4.5'); + }); + + it('should strip maxOutputTokens without defaultParamsEndpoint', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + }; + + const result = buildDefaultConvo({ + models, + conversation: baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + lastConversationSetup: preset, + }); + + expect(result.maxOutputTokens).toBeUndefined(); + expect(result.temperature).toBe(0.7); + }); + + it('should strip OpenAI-specific fields when using anthropic params', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + max_tokens: 4096, + top_p: 0.9, + presence_penalty: 0.5, + frequency_penalty: 0.3, + }; + + const result = buildDefaultConvo({ + models, + conversation: baseConversation, + endpoint: 'AnthropicClaude' as EModelEndpoint, + lastConversationSetup: preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result.max_tokens).toBeUndefined(); + expect(result.top_p).toBeUndefined(); + expect(result.presence_penalty).toBeUndefined(); + expect(result.frequency_penalty).toBeUndefined(); + }); + }); + + describe('custom endpoint without defaultParamsEndpoint (OpenAI default)', () => { + const models = ['gpt-4o', 'gpt-4.1']; + + it('should preserve OpenAI fields and strip anthropic fields', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'MyOpenRouterEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + max_tokens: 4096, + top_p: 0.9, + maxOutputTokens: 8192, + }; + + const result = buildDefaultConvo({ + models, + conversation: baseConversation, + endpoint: 'MyOpenRouterEndpoint' as EModelEndpoint, + lastConversationSetup: preset, + }); + + expect(result.max_tokens).toBe(4096); + expect(result.top_p).toBe(0.9); + expect(result.temperature).toBe(0.7); + expect(result.maxOutputTokens).toBeUndefined(); + }); + }); + + describe('custom endpoint with defaultParamsEndpoint: google', () => { + const models = ['gemini-pro', 'gemini-1.5-pro']; + + it('should preserve Google-specific fields', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'MyGoogleEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'gemini-pro', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + topK: 40, + }; + + const result = buildDefaultConvo({ + models, + conversation: baseConversation, + endpoint: 'MyGoogleEndpoint' as EModelEndpoint, + lastConversationSetup: preset, + defaultParamsEndpoint: EModelEndpoint.google, + }); + + expect(result.maxOutputTokens).toBe(8192); + expect(result.topP).toBe(0.9); + expect(result.topK).toBe(40); + }); + }); + + describe('cross-endpoint field isolation', () => { + it('should not carry bedrock region to a custom endpoint', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'MyChatEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + region: 'us-east-1', + }; + + const result = buildDefaultConvo({ + models: ['gpt-4o'], + conversation: baseConversation, + endpoint: 'MyChatEndpoint' as EModelEndpoint, + lastConversationSetup: preset, + }); + + expect(result.region).toBeUndefined(); + expect(result.temperature).toBe(0.7); + }); + + it('should not carry bedrock region even with anthropic defaultParamsEndpoint', () => { + const preset: TConversation = { + ...baseConversation, + endpoint: 'MyChatEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + model: 'claude-3-opus', + region: 'us-east-1', + maxOutputTokens: 8192, + }; + + const result = buildDefaultConvo({ + models: ['claude-3-opus'], + conversation: baseConversation, + endpoint: 'MyChatEndpoint' as EModelEndpoint, + lastConversationSetup: preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result.region).toBeUndefined(); + expect(result.maxOutputTokens).toBe(8192); + }); + }); +}); diff --git a/client/src/utils/__tests__/cleanupPreset.integration.test.ts b/client/src/utils/__tests__/cleanupPreset.integration.test.ts new file mode 100644 index 0000000000..1e1219bc7a --- /dev/null +++ b/client/src/utils/__tests__/cleanupPreset.integration.test.ts @@ -0,0 +1,119 @@ +import { EModelEndpoint } from 'librechat-data-provider'; +import cleanupPreset from '../cleanupPreset'; + +/** + * Integration tests for cleanupPreset — NO mocks. + * Uses the real parseConvo to verify actual schema behavior + * with defaultParamsEndpoint for custom endpoints. + */ +describe('cleanupPreset - real parsing with defaultParamsEndpoint', () => { + it('should preserve maxOutputTokens when defaultParamsEndpoint is anthropic', () => { + const preset = { + presetId: 'test-id', + title: 'Claude Opus', + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + maxContextTokens: 50000, + }; + + const result = cleanupPreset({ + preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result.maxOutputTokens).toBe(8192); + expect(result.topP).toBe(0.9); + expect(result.temperature).toBe(0.7); + expect(result.maxContextTokens).toBe(50000); + expect(result.model).toBe('anthropic/claude-opus-4.5'); + }); + + it('should strip maxOutputTokens without defaultParamsEndpoint (OpenAI schema)', () => { + const preset = { + presetId: 'test-id', + title: 'GPT Custom', + endpoint: 'MyOpenRouter', + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + maxOutputTokens: 8192, + max_tokens: 4096, + }; + + const result = cleanupPreset({ preset }); + + expect(result.maxOutputTokens).toBeUndefined(); + expect(result.max_tokens).toBe(4096); + expect(result.temperature).toBe(0.7); + }); + + it('should strip OpenAI-specific fields when using anthropic params', () => { + const preset = { + presetId: 'test-id', + title: 'Claude Custom', + endpoint: 'AnthropicClaude', + endpointType: EModelEndpoint.custom, + model: 'anthropic/claude-3-opus', + max_tokens: 4096, + top_p: 0.9, + presence_penalty: 0.5, + frequency_penalty: 0.3, + temperature: 0.7, + }; + + const result = cleanupPreset({ + preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result.max_tokens).toBeUndefined(); + expect(result.top_p).toBeUndefined(); + expect(result.presence_penalty).toBeUndefined(); + expect(result.frequency_penalty).toBeUndefined(); + expect(result.temperature).toBe(0.7); + }); + + it('should not carry bedrock region to custom endpoint', () => { + const preset = { + presetId: 'test-id', + title: 'Custom', + endpoint: 'MyEndpoint', + endpointType: EModelEndpoint.custom, + model: 'gpt-4o', + temperature: 0.7, + region: 'us-east-1', + }; + + const result = cleanupPreset({ preset }); + + expect(result.region).toBeUndefined(); + expect(result.temperature).toBe(0.7); + }); + + it('should preserve Google-specific fields when defaultParamsEndpoint is google', () => { + const preset = { + presetId: 'test-id', + title: 'Gemini Custom', + endpoint: 'MyGoogleEndpoint', + endpointType: EModelEndpoint.custom, + model: 'gemini-pro', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + topK: 40, + }; + + const result = cleanupPreset({ + preset, + defaultParamsEndpoint: EModelEndpoint.google, + }); + + expect(result.maxOutputTokens).toBe(8192); + expect(result.topP).toBe(0.9); + expect(result.topK).toBe(40); + }); +}); diff --git a/client/src/utils/__tests__/cleanupPreset.test.ts b/client/src/utils/__tests__/cleanupPreset.test.ts index a03477de15..766bb872ac 100644 --- a/client/src/utils/__tests__/cleanupPreset.test.ts +++ b/client/src/utils/__tests__/cleanupPreset.test.ts @@ -1,12 +1,9 @@ -import { EModelEndpoint } from 'librechat-data-provider'; +import { EModelEndpoint, parseConvo } from 'librechat-data-provider'; import cleanupPreset from '../cleanupPreset'; -import type { TPreset } from 'librechat-data-provider'; - // Mock parseConvo since we're focusing on testing the chatGptLabel migration logic jest.mock('librechat-data-provider', () => ({ ...jest.requireActual('librechat-data-provider'), parseConvo: jest.fn((input) => { - // Return a simplified mock that passes through most properties const { conversation } = input; return { ...conversation, @@ -221,4 +218,41 @@ describe('cleanupPreset', () => { expect(result.presetId).toBeNull(); }); }); + + describe('defaultParamsEndpoint threading', () => { + it('should pass defaultParamsEndpoint to parseConvo', () => { + const preset = { + ...basePreset, + endpoint: 'MyCustomEndpoint', + endpointType: EModelEndpoint.custom, + }; + + cleanupPreset({ + preset, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(parseConvo).toHaveBeenCalledWith( + expect.objectContaining({ + defaultParamsEndpoint: EModelEndpoint.anthropic, + }), + ); + }); + + it('should pass undefined defaultParamsEndpoint when not provided', () => { + const preset = { + ...basePreset, + endpoint: 'MyCustomEndpoint', + endpointType: EModelEndpoint.custom, + }; + + cleanupPreset({ preset }); + + expect(parseConvo).toHaveBeenCalledWith( + expect.objectContaining({ + defaultParamsEndpoint: undefined, + }), + ); + }); + }); }); diff --git a/client/src/utils/buildDefaultConvo.ts b/client/src/utils/buildDefaultConvo.ts index 025bec24eb..c2d2871912 100644 --- a/client/src/utils/buildDefaultConvo.ts +++ b/client/src/utils/buildDefaultConvo.ts @@ -14,11 +14,13 @@ const buildDefaultConvo = ({ conversation, endpoint = null, lastConversationSetup, + defaultParamsEndpoint, }: { models: string[]; conversation: TConversation; endpoint?: EModelEndpoint | null; lastConversationSetup: TConversation | null; + defaultParamsEndpoint?: string | null; }): TConversation => { const { lastSelectedModel, lastSelectedTools } = getLocalStorageItems(); const endpointType = lastConversationSetup?.endpointType ?? conversation.endpointType; @@ -49,6 +51,7 @@ const buildDefaultConvo = ({ possibleValues: { models: possibleModels, }, + defaultParamsEndpoint, }); const defaultConvo = { diff --git a/client/src/utils/cleanupPreset.ts b/client/src/utils/cleanupPreset.ts index c158d935fa..ad44726064 100644 --- a/client/src/utils/cleanupPreset.ts +++ b/client/src/utils/cleanupPreset.ts @@ -4,9 +4,10 @@ import type { TPreset } from 'librechat-data-provider'; type UIPreset = Partial & { presetOverride?: Partial }; type TCleanupPreset = { preset?: UIPreset; + defaultParamsEndpoint?: string | null; }; -const cleanupPreset = ({ preset: _preset }: TCleanupPreset): TPreset => { +const cleanupPreset = ({ preset: _preset, defaultParamsEndpoint }: TCleanupPreset): TPreset => { const { endpoint, endpointType } = _preset ?? ({} as UIPreset); if (endpoint == null || endpoint === '') { console.error(`Unknown endpoint ${endpoint}`, _preset); @@ -35,8 +36,13 @@ const cleanupPreset = ({ preset: _preset }: TCleanupPreset): TPreset => { delete preset.chatGptLabel; } - /* @ts-ignore: endpoint can be a custom defined name */ - const parsedPreset = parseConvo({ endpoint, endpointType, conversation: preset }); + const parsedPreset = parseConvo({ + /* @ts-ignore: endpoint can be a custom defined name */ + endpoint, + endpointType, + conversation: preset, + defaultParamsEndpoint, + }); return { presetId: _preset?.presetId ?? null, diff --git a/packages/api/src/agents/__tests__/initialize.test.ts b/packages/api/src/agents/__tests__/initialize.test.ts new file mode 100644 index 0000000000..01310a09c4 --- /dev/null +++ b/packages/api/src/agents/__tests__/initialize.test.ts @@ -0,0 +1,284 @@ +import { Providers } from '@librechat/agents'; +import { EModelEndpoint } from 'librechat-data-provider'; +import type { Agent } from 'librechat-data-provider'; +import type { ServerRequest, InitializeResultBase } from '~/types'; +import type { InitializeAgentDbMethods } from '../initialize'; + +// Mock logger +jest.mock('winston', () => ({ + createLogger: jest.fn(() => ({ + debug: jest.fn(), + warn: jest.fn(), + error: jest.fn(), + })), + format: { + combine: jest.fn(), + colorize: jest.fn(), + simple: jest.fn(), + }, + transports: { + Console: jest.fn(), + }, +})); + +const mockExtractLibreChatParams = jest.fn(); +const mockGetModelMaxTokens = jest.fn(); +const mockOptionalChainWithEmptyCheck = jest.fn(); +const mockGetThreadData = jest.fn(); + +jest.mock('~/utils', () => ({ + extractLibreChatParams: (...args: unknown[]) => mockExtractLibreChatParams(...args), + getModelMaxTokens: (...args: unknown[]) => mockGetModelMaxTokens(...args), + optionalChainWithEmptyCheck: (...args: unknown[]) => mockOptionalChainWithEmptyCheck(...args), + getThreadData: (...args: unknown[]) => mockGetThreadData(...args), +})); + +const mockGetProviderConfig = jest.fn(); +jest.mock('~/endpoints', () => ({ + getProviderConfig: (...args: unknown[]) => mockGetProviderConfig(...args), +})); + +jest.mock('~/files', () => ({ + filterFilesByEndpointConfig: jest.fn(() => []), +})); + +jest.mock('~/prompts', () => ({ + generateArtifactsPrompt: jest.fn(() => null), +})); + +jest.mock('../resources', () => ({ + primeResources: jest.fn().mockResolvedValue({ + attachments: [], + tool_resources: undefined, + }), +})); + +import { initializeAgent } from '../initialize'; + +/** + * Creates minimal mock objects for initializeAgent tests. + */ +function createMocks(overrides?: { + maxContextTokens?: number; + modelDefault?: number; + maxOutputTokens?: number; +}) { + const { maxContextTokens, modelDefault = 200000, maxOutputTokens = 4096 } = overrides ?? {}; + + const agent = { + id: 'agent-1', + model: 'test-model', + provider: Providers.OPENAI, + tools: [], + model_parameters: { model: 'test-model' }, + } as unknown as Agent; + + const req = { + user: { id: 'user-1' }, + config: {}, + } as unknown as ServerRequest; + + const res = {} as unknown as import('express').Response; + + const mockGetOptions = jest.fn().mockResolvedValue({ + llmConfig: { + model: 'test-model', + maxTokens: maxOutputTokens, + }, + endpointTokenConfig: undefined, + } satisfies InitializeResultBase); + + mockGetProviderConfig.mockReturnValue({ + getOptions: mockGetOptions, + overrideProvider: Providers.OPENAI, + }); + + // extractLibreChatParams returns maxContextTokens when provided in model_parameters + mockExtractLibreChatParams.mockReturnValue({ + resendFiles: false, + maxContextTokens, + modelOptions: { model: 'test-model' }, + }); + + // getModelMaxTokens returns the model's default context window + mockGetModelMaxTokens.mockReturnValue(modelDefault); + + // Implement real optionalChainWithEmptyCheck behavior + mockOptionalChainWithEmptyCheck.mockImplementation( + (...values: (string | number | undefined)[]) => { + for (const v of values) { + if (v !== undefined && v !== null && v !== '') { + return v; + } + } + return values[values.length - 1]; + }, + ); + + const loadTools = jest.fn().mockResolvedValue({ + tools: [], + toolContextMap: {}, + userMCPAuthMap: undefined, + toolRegistry: undefined, + toolDefinitions: [], + hasDeferredTools: false, + }); + + const db: InitializeAgentDbMethods = { + getFiles: jest.fn().mockResolvedValue([]), + getConvoFiles: jest.fn().mockResolvedValue([]), + updateFilesUsage: jest.fn().mockResolvedValue([]), + getUserKey: jest.fn().mockResolvedValue('user-1'), + getUserKeyValues: jest.fn().mockResolvedValue([]), + getToolFilesByIds: jest.fn().mockResolvedValue([]), + }; + + return { agent, req, res, loadTools, db }; +} + +describe('initializeAgent — maxContextTokens', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('uses user-configured maxContextTokens when provided via model_parameters', async () => { + const userValue = 50000; + const { agent, req, res, loadTools, db } = createMocks({ + maxContextTokens: userValue, + modelDefault: 200000, + maxOutputTokens: 4096, + }); + + const result = await initializeAgent( + { + req, + res, + agent, + loadTools, + endpointOption: { + endpoint: EModelEndpoint.agents, + model_parameters: { maxContextTokens: userValue }, + }, + allowedProviders: new Set([Providers.OPENAI]), + isInitialAgent: true, + }, + db, + ); + + expect(result.maxContextTokens).toBe(userValue); + }); + + it('falls back to formula when maxContextTokens is NOT provided', async () => { + const modelDefault = 200000; + const maxOutputTokens = 4096; + const { agent, req, res, loadTools, db } = createMocks({ + maxContextTokens: undefined, + modelDefault, + maxOutputTokens, + }); + + const result = await initializeAgent( + { + req, + res, + agent, + loadTools, + endpointOption: { endpoint: EModelEndpoint.agents }, + allowedProviders: new Set([Providers.OPENAI]), + isInitialAgent: true, + }, + db, + ); + + const expected = Math.round((modelDefault - maxOutputTokens) * 0.9); + expect(result.maxContextTokens).toBe(expected); + }); + + it('falls back to formula when maxContextTokens is 0', async () => { + const maxOutputTokens = 4096; + const { agent, req, res, loadTools, db } = createMocks({ + maxContextTokens: 0, + modelDefault: 200000, + maxOutputTokens, + }); + + const result = await initializeAgent( + { + req, + res, + agent, + loadTools, + endpointOption: { + endpoint: EModelEndpoint.agents, + model_parameters: { maxContextTokens: 0 }, + }, + allowedProviders: new Set([Providers.OPENAI]), + isInitialAgent: true, + }, + db, + ); + + // 0 is not used as-is; the formula kicks in. + // optionalChainWithEmptyCheck(0, 200000, 18000) returns 0 (not null/undefined), + // then Number(0) || 18000 = 18000 (the fallback default). + expect(result.maxContextTokens).not.toBe(0); + const expected = Math.round((18000 - maxOutputTokens) * 0.9); + expect(result.maxContextTokens).toBe(expected); + }); + + it('falls back to formula when maxContextTokens is negative', async () => { + const maxOutputTokens = 4096; + const { agent, req, res, loadTools, db } = createMocks({ + maxContextTokens: -1, + modelDefault: 200000, + maxOutputTokens, + }); + + const result = await initializeAgent( + { + req, + res, + agent, + loadTools, + endpointOption: { + endpoint: EModelEndpoint.agents, + model_parameters: { maxContextTokens: -1 }, + }, + allowedProviders: new Set([Providers.OPENAI]), + isInitialAgent: true, + }, + db, + ); + + // -1 is not used as-is; the formula kicks in + expect(result.maxContextTokens).not.toBe(-1); + }); + + it('preserves small user-configured value (e.g. 1000 from modelSpec)', async () => { + const userValue = 1000; + const { agent, req, res, loadTools, db } = createMocks({ + maxContextTokens: userValue, + modelDefault: 128000, + maxOutputTokens: 4096, + }); + + const result = await initializeAgent( + { + req, + res, + agent, + loadTools, + endpointOption: { + endpoint: EModelEndpoint.agents, + model_parameters: { maxContextTokens: userValue }, + }, + allowedProviders: new Set([Providers.OPENAI]), + isInitialAgent: true, + }, + db, + ); + + // Should NOT be overridden to Math.round((128000 - 4096) * 0.9) = 111,514 + expect(result.maxContextTokens).toBe(userValue); + }); +}); diff --git a/packages/api/src/agents/initialize.ts b/packages/api/src/agents/initialize.ts index 008aa4c0ba..af604beb81 100644 --- a/packages/api/src/agents/initialize.ts +++ b/packages/api/src/agents/initialize.ts @@ -413,7 +413,10 @@ export async function initializeAgent( toolContextMap: toolContextMap ?? {}, useLegacyContent: !!options.useLegacyContent, tools: (tools ?? []) as GenericTool[] & string[], - maxContextTokens: Math.round((agentMaxContextNum - maxOutputTokensNum) * 0.9), + maxContextTokens: + maxContextTokens != null && maxContextTokens > 0 + ? maxContextTokens + : Math.round((agentMaxContextNum - maxOutputTokensNum) * 0.9), }; return initializedAgent; diff --git a/packages/data-provider/specs/parsers.spec.ts b/packages/data-provider/specs/parsers.spec.ts index 012d33177b..90359d6e6f 100644 --- a/packages/data-provider/specs/parsers.spec.ts +++ b/packages/data-provider/specs/parsers.spec.ts @@ -1,4 +1,4 @@ -import { replaceSpecialVars, parseCompactConvo, parseTextParts } from '../src/parsers'; +import { replaceSpecialVars, parseConvo, parseCompactConvo, parseTextParts } from '../src/parsers'; import { specialVariables } from '../src/config'; import { EModelEndpoint } from '../src/schemas'; import { ContentTypes } from '../src/types/runs'; @@ -262,6 +262,257 @@ describe('parseCompactConvo', () => { }); }); +describe('parseConvo - defaultParamsEndpoint', () => { + test('should strip maxOutputTokens for custom endpoint without defaultParamsEndpoint', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + maxContextTokens: 50000, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + }); + + expect(result).not.toBeNull(); + expect(result?.temperature).toBe(0.7); + expect(result?.maxContextTokens).toBe(50000); + expect(result?.maxOutputTokens).toBeUndefined(); + }); + + test('should preserve maxOutputTokens when defaultParamsEndpoint is anthropic', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + topK: 40, + maxContextTokens: 50000, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result).not.toBeNull(); + expect(result?.model).toBe('anthropic/claude-opus-4.5'); + expect(result?.temperature).toBe(0.7); + expect(result?.maxOutputTokens).toBe(8192); + expect(result?.topP).toBe(0.9); + expect(result?.topK).toBe(40); + expect(result?.maxContextTokens).toBe(50000); + }); + + test('should strip OpenAI-specific fields when defaultParamsEndpoint is anthropic', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + max_tokens: 4096, + top_p: 0.9, + presence_penalty: 0.5, + frequency_penalty: 0.3, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result).not.toBeNull(); + expect(result?.temperature).toBe(0.7); + expect(result?.max_tokens).toBeUndefined(); + expect(result?.top_p).toBeUndefined(); + expect(result?.presence_penalty).toBeUndefined(); + expect(result?.frequency_penalty).toBeUndefined(); + }); + + test('should preserve max_tokens when defaultParamsEndpoint is not set (OpenAI default)', () => { + const conversation: Partial = { + model: 'gpt-4o', + temperature: 0.7, + max_tokens: 4096, + top_p: 0.9, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + }); + + expect(result).not.toBeNull(); + expect(result?.max_tokens).toBe(4096); + expect(result?.top_p).toBe(0.9); + }); + + test('should preserve Google-specific fields when defaultParamsEndpoint is google', () => { + const conversation: Partial = { + model: 'gemini-pro', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + topK: 40, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: EModelEndpoint.google, + }); + + expect(result).not.toBeNull(); + expect(result?.maxOutputTokens).toBe(8192); + expect(result?.topP).toBe(0.9); + expect(result?.topK).toBe(40); + }); + + test('should not strip fields from non-custom endpoints that already have a schema', () => { + const conversation: Partial = { + model: 'gpt-4o', + temperature: 0.7, + max_tokens: 4096, + top_p: 0.9, + }; + + const result = parseConvo({ + endpoint: EModelEndpoint.openAI, + conversation, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result).not.toBeNull(); + expect(result?.max_tokens).toBe(4096); + expect(result?.top_p).toBe(0.9); + }); + + test('should not carry bedrock region to custom endpoint without defaultParamsEndpoint', () => { + const conversation: Partial = { + model: 'gpt-4o', + temperature: 0.7, + region: 'us-east-1', + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + }); + + expect(result).not.toBeNull(); + expect(result?.temperature).toBe(0.7); + expect(result?.region).toBeUndefined(); + }); + + test('should fall back to endpointType schema when defaultParamsEndpoint is invalid', () => { + const conversation: Partial = { + model: 'gpt-4o', + temperature: 0.7, + max_tokens: 4096, + maxOutputTokens: 8192, + }; + + const result = parseConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: 'nonexistent_endpoint', + }); + + expect(result).not.toBeNull(); + expect(result?.max_tokens).toBe(4096); + expect(result?.maxOutputTokens).toBeUndefined(); + }); +}); + +describe('parseCompactConvo - defaultParamsEndpoint', () => { + test('should strip maxOutputTokens for custom endpoint without defaultParamsEndpoint', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + }; + + const result = parseCompactConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + }); + + expect(result).not.toBeNull(); + expect(result?.temperature).toBe(0.7); + expect(result?.maxOutputTokens).toBeUndefined(); + }); + + test('should preserve maxOutputTokens when defaultParamsEndpoint is anthropic', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + temperature: 0.7, + maxOutputTokens: 8192, + topP: 0.9, + maxContextTokens: 50000, + }; + + const result = parseCompactConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result).not.toBeNull(); + expect(result?.maxOutputTokens).toBe(8192); + expect(result?.topP).toBe(0.9); + expect(result?.maxContextTokens).toBe(50000); + }); + + test('should strip iconURL even when defaultParamsEndpoint is set', () => { + const conversation: Partial = { + model: 'anthropic/claude-opus-4.5', + iconURL: 'https://malicious.com/track.png', + maxOutputTokens: 8192, + }; + + const result = parseCompactConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: EModelEndpoint.anthropic, + }); + + expect(result).not.toBeNull(); + expect(result?.['iconURL']).toBeUndefined(); + expect(result?.maxOutputTokens).toBe(8192); + }); + + test('should fall back to endpointType when defaultParamsEndpoint is null', () => { + const conversation: Partial = { + model: 'gpt-4o', + max_tokens: 4096, + maxOutputTokens: 8192, + }; + + const result = parseCompactConvo({ + endpoint: 'MyCustomEndpoint' as EModelEndpoint, + endpointType: EModelEndpoint.custom, + conversation, + defaultParamsEndpoint: null, + }); + + expect(result).not.toBeNull(); + expect(result?.max_tokens).toBe(4096); + expect(result?.maxOutputTokens).toBeUndefined(); + }); +}); + describe('parseTextParts', () => { test('should concatenate text parts', () => { const parts: TMessageContentParts[] = [ diff --git a/packages/data-provider/src/config.ts b/packages/data-provider/src/config.ts index a2b47351b1..f6567e8da9 100644 --- a/packages/data-provider/src/config.ts +++ b/packages/data-provider/src/config.ts @@ -1908,3 +1908,14 @@ export function getEndpointField< } return config[property]; } + +/** Resolves the `defaultParamsEndpoint` for a given endpoint from its custom params config */ +export function getDefaultParamsEndpoint( + endpointsConfig: TEndpointsConfig | undefined | null, + endpoint: string | null | undefined, +): string | undefined { + if (!endpointsConfig || !endpoint) { + return undefined; + } + return endpointsConfig[endpoint]?.customParams?.defaultParamsEndpoint; +} diff --git a/packages/data-provider/src/parsers.ts b/packages/data-provider/src/parsers.ts index ff47375769..ab6ff927f7 100644 --- a/packages/data-provider/src/parsers.ts +++ b/packages/data-provider/src/parsers.ts @@ -144,26 +144,25 @@ export const parseConvo = ({ endpointType, conversation, possibleValues, + defaultParamsEndpoint, }: { endpoint: EndpointSchemaKey; endpointType?: EndpointSchemaKey | null; conversation: Partial | null; possibleValues?: TPossibleValues; - // TODO: POC for default schema - // defaultSchema?: Partial, + defaultParamsEndpoint?: string | null; }) => { let schema = endpointSchemas[endpoint] as EndpointSchema | undefined; if (!schema && !endpointType) { throw new Error(`Unknown endpoint: ${endpoint}`); - } else if (!schema && endpointType) { - schema = endpointSchemas[endpointType]; + } else if (!schema) { + const overrideSchema = defaultParamsEndpoint + ? endpointSchemas[defaultParamsEndpoint as EndpointSchemaKey] + : undefined; + schema = overrideSchema ?? (endpointType ? endpointSchemas[endpointType] : undefined); } - // if (defaultSchema && schemaCreators[endpoint]) { - // schema = schemaCreators[endpoint](defaultSchema); - // } - const convo = schema?.parse(conversation) as s.TConversation | undefined; const { models } = possibleValues ?? {}; @@ -310,13 +309,13 @@ export const parseCompactConvo = ({ endpointType, conversation, possibleValues, + defaultParamsEndpoint, }: { endpoint?: EndpointSchemaKey; endpointType?: EndpointSchemaKey | null; conversation: Partial; possibleValues?: TPossibleValues; - // TODO: POC for default schema - // defaultSchema?: Partial, + defaultParamsEndpoint?: string | null; }): Omit | null => { if (!endpoint) { throw new Error(`undefined endpoint: ${endpoint}`); @@ -326,8 +325,11 @@ export const parseCompactConvo = ({ if (!schema && !endpointType) { throw new Error(`Unknown endpoint: ${endpoint}`); - } else if (!schema && endpointType) { - schema = compactEndpointSchemas[endpointType]; + } else if (!schema) { + const overrideSchema = defaultParamsEndpoint + ? compactEndpointSchemas[defaultParamsEndpoint as EndpointSchemaKey] + : undefined; + schema = overrideSchema ?? (endpointType ? compactEndpointSchemas[endpointType] : undefined); } if (!schema) { From f72378d389dfa27f77fca88578be42a25d58dea0 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Fri, 13 Feb 2026 23:17:53 -0500 Subject: [PATCH 28/55] =?UTF-8?q?=F0=9F=A7=A9=20chore:=20Extract=20Agent?= =?UTF-8?q?=20Client=20Utilities=20to=20`/packages/api`=20(#11789)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extract 7 standalone utilities from api/server/controllers/agents/client.js into packages/api/src/agents/client.ts for TypeScript support and to declutter the 1400-line controller module: - omitTitleOptions: Set of keys to exclude from title generation options - payloadParser: Extracts model_parameters from request body for non-agent endpoints - createTokenCounter: Factory for langchain-compatible token counting functions - logToolError: Callback handler for agent tool execution errors - findPrimaryAgentId: Resolves primary agent from suffixed parallel agent IDs - createMultiAgentMapper: Message content processor that filters parallel agent output to primary agents and applies agent labels for handoff/multi-agent flows Supporting changes: - Add endpointOption and endpointType to RequestBody type (packages/api/src/types/http.ts) so payloadParser can access middleware-attached fields without type casts - Add @typescript-eslint/no-unused-vars with underscore ignore patterns to the packages/api eslint config block, matching the convention used by client/ and data-provider/ blocks - Update agent controller imports to consume the moved functions from @librechat/api and remove now-unused direct imports (logAxiosError, labelContentByAgent, getTokenCountForMessage) --- api/server/controllers/agents/client.js | 179 +----------------------- eslint.config.mjs | 9 ++ packages/api/src/agents/client.ts | 162 +++++++++++++++++++++ packages/api/src/agents/index.ts | 1 + packages/api/src/types/http.ts | 5 +- 5 files changed, 181 insertions(+), 175 deletions(-) create mode 100644 packages/api/src/agents/client.ts diff --git a/api/server/controllers/agents/client.js b/api/server/controllers/agents/client.js index 8e8a993a5d..49240a6b3b 100644 --- a/api/server/controllers/agents/client.js +++ b/api/server/controllers/agents/client.js @@ -6,18 +6,22 @@ const { Tokenizer, checkAccess, buildToolSet, - logAxiosError, sanitizeTitle, + logToolError, + payloadParser, resolveHeaders, createSafeUser, initializeAgent, getBalanceConfig, getProviderConfig, + omitTitleOptions, memoryInstructions, applyContextToAgent, + createTokenCounter, GenerationJobManager, getTransactionsConfig, createMemoryProcessor, + createMultiAgentMapper, filterMalformedContentParts, } = require('@librechat/api'); const { @@ -25,9 +29,7 @@ const { Providers, TitleMethod, formatMessage, - labelContentByAgent, formatAgentMessages, - getTokenCountForMessage, createMetadataAggregator, } = require('@librechat/agents'); const { @@ -51,177 +53,6 @@ const { loadAgent } = require('~/models/Agent'); const { getMCPManager } = require('~/config'); const db = require('~/models'); -const omitTitleOptions = new Set([ - 'stream', - 'thinking', - 'streaming', - 'clientOptions', - 'thinkingConfig', - 'thinkingBudget', - 'includeThoughts', - 'maxOutputTokens', - 'additionalModelRequestFields', -]); - -/** - * @param {ServerRequest} req - * @param {Agent} agent - * @param {string} endpoint - */ -const payloadParser = ({ req, endpoint }) => { - if (isAgentsEndpoint(endpoint)) { - return; - } - return req.body?.endpointOption?.model_parameters; -}; - -function createTokenCounter(encoding) { - return function (message) { - const countTokens = (text) => Tokenizer.getTokenCount(text, encoding); - return getTokenCountForMessage(message, countTokens); - }; -} - -function logToolError(graph, error, toolId) { - logAxiosError({ - error, - message: `[api/server/controllers/agents/client.js #chatCompletion] Tool Error "${toolId}"`, - }); -} - -/** Regex pattern to match agent ID suffix (____N) */ -const AGENT_SUFFIX_PATTERN = /____(\d+)$/; - -/** - * Finds the primary agent ID within a set of agent IDs. - * Primary = no suffix (____N) or lowest suffix number. - * @param {Set} agentIds - * @returns {string | null} - */ -function findPrimaryAgentId(agentIds) { - let primaryAgentId = null; - let lowestSuffixIndex = Infinity; - - for (const agentId of agentIds) { - const suffixMatch = agentId.match(AGENT_SUFFIX_PATTERN); - if (!suffixMatch) { - return agentId; - } - const suffixIndex = parseInt(suffixMatch[1], 10); - if (suffixIndex < lowestSuffixIndex) { - lowestSuffixIndex = suffixIndex; - primaryAgentId = agentId; - } - } - - return primaryAgentId; -} - -/** - * Creates a mapMethod for getMessagesForConversation that processes agent content. - * - Strips agentId/groupId metadata from all content - * - For parallel agents (addedConvo with groupId): filters each group to its primary agent - * - For handoffs (agentId without groupId): keeps all content from all agents - * - For multi-agent: applies agent labels to content - * - * The key distinction: - * - Parallel execution (addedConvo): Parts have both agentId AND groupId - * - Handoffs: Parts only have agentId, no groupId - * - * @param {Agent} primaryAgent - Primary agent configuration - * @param {Map} [agentConfigs] - Additional agent configurations - * @returns {(message: TMessage) => TMessage} Map method for processing messages - */ -function createMultiAgentMapper(primaryAgent, agentConfigs) { - const hasMultipleAgents = (primaryAgent.edges?.length ?? 0) > 0 || (agentConfigs?.size ?? 0) > 0; - - /** @type {Record | null} */ - let agentNames = null; - if (hasMultipleAgents) { - agentNames = { [primaryAgent.id]: primaryAgent.name || 'Assistant' }; - if (agentConfigs) { - for (const [agentId, agentConfig] of agentConfigs.entries()) { - agentNames[agentId] = agentConfig.name || agentConfig.id; - } - } - } - - return (message) => { - if (message.isCreatedByUser || !Array.isArray(message.content)) { - return message; - } - - // Check for metadata - const hasAgentMetadata = message.content.some((part) => part?.agentId || part?.groupId != null); - if (!hasAgentMetadata) { - return message; - } - - try { - // Build a map of groupId -> Set of agentIds, to find primary per group - /** @type {Map>} */ - const groupAgentMap = new Map(); - - for (const part of message.content) { - const groupId = part?.groupId; - const agentId = part?.agentId; - if (groupId != null && agentId) { - if (!groupAgentMap.has(groupId)) { - groupAgentMap.set(groupId, new Set()); - } - groupAgentMap.get(groupId).add(agentId); - } - } - - // For each group, find the primary agent - /** @type {Map} */ - const groupPrimaryMap = new Map(); - for (const [groupId, agentIds] of groupAgentMap) { - const primary = findPrimaryAgentId(agentIds); - if (primary) { - groupPrimaryMap.set(groupId, primary); - } - } - - /** @type {Array} */ - const filteredContent = []; - /** @type {Record} */ - const agentIdMap = {}; - - for (const part of message.content) { - const agentId = part?.agentId; - const groupId = part?.groupId; - - // Filtering logic: - // - No groupId (handoffs): always include - // - Has groupId (parallel): only include if it's the primary for that group - const isParallelPart = groupId != null; - const groupPrimary = isParallelPart ? groupPrimaryMap.get(groupId) : null; - const shouldInclude = !isParallelPart || !agentId || agentId === groupPrimary; - - if (shouldInclude) { - const newIndex = filteredContent.length; - const { agentId: _a, groupId: _g, ...cleanPart } = part; - filteredContent.push(cleanPart); - if (agentId && hasMultipleAgents) { - agentIdMap[newIndex] = agentId; - } - } - } - - const finalContent = - Object.keys(agentIdMap).length > 0 && agentNames - ? labelContentByAgent(filteredContent, agentIdMap, agentNames) - : filteredContent; - - return { ...message, content: finalContent }; - } catch (error) { - logger.error('[AgentClient] Error processing multi-agent message:', error); - return message; - } - }; -} - class AgentClient extends BaseClient { constructor(options = {}) { super(null, options); diff --git a/eslint.config.mjs b/eslint.config.mjs index 9990e0fc35..f53c4e83dd 100644 --- a/eslint.config.mjs +++ b/eslint.config.mjs @@ -291,6 +291,15 @@ export default [ files: ['./packages/api/**/*.ts'], rules: { 'lines-between-class-members': ['error', 'always', { exceptAfterSingleLine: true }], + '@typescript-eslint/no-unused-vars': [ + 'warn', + { + argsIgnorePattern: '^_', + varsIgnorePattern: '^_', + caughtErrorsIgnorePattern: '^_', + destructuredArrayIgnorePattern: '^_', + }, + ], }, }, { diff --git a/packages/api/src/agents/client.ts b/packages/api/src/agents/client.ts new file mode 100644 index 0000000000..fd5d50f211 --- /dev/null +++ b/packages/api/src/agents/client.ts @@ -0,0 +1,162 @@ +import { logger } from '@librechat/data-schemas'; +import { isAgentsEndpoint } from 'librechat-data-provider'; +import { labelContentByAgent, getTokenCountForMessage } from '@librechat/agents'; +import type { MessageContentComplex } from '@librechat/agents'; +import type { Agent, TMessage } from 'librechat-data-provider'; +import type { BaseMessage } from '@langchain/core/messages'; +import type { ServerRequest } from '~/types'; +import Tokenizer from '~/utils/tokenizer'; +import { logAxiosError } from '~/utils'; + +export const omitTitleOptions = new Set([ + 'stream', + 'thinking', + 'streaming', + 'clientOptions', + 'thinkingConfig', + 'thinkingBudget', + 'includeThoughts', + 'maxOutputTokens', + 'additionalModelRequestFields', +]); + +export function payloadParser({ req, endpoint }: { req: ServerRequest; endpoint: string }) { + if (isAgentsEndpoint(endpoint)) { + return; + } + return req.body?.endpointOption?.model_parameters; +} + +export function createTokenCounter(encoding: Parameters[1]) { + return function (message: BaseMessage) { + const countTokens = (text: string) => Tokenizer.getTokenCount(text, encoding); + return getTokenCountForMessage(message, countTokens); + }; +} + +export function logToolError(_graph: unknown, error: unknown, toolId: string) { + logAxiosError({ + error, + message: `[api/server/controllers/agents/client.js #chatCompletion] Tool Error "${toolId}"`, + }); +} + +const AGENT_SUFFIX_PATTERN = /____(\d+)$/; + +/** Finds the primary agent ID within a set of agent IDs (no suffix or lowest suffix number) */ +export function findPrimaryAgentId(agentIds: Set): string | null { + let primaryAgentId: string | null = null; + let lowestSuffixIndex = Infinity; + + for (const agentId of agentIds) { + const suffixMatch = agentId.match(AGENT_SUFFIX_PATTERN); + if (!suffixMatch) { + return agentId; + } + const suffixIndex = parseInt(suffixMatch[1], 10); + if (suffixIndex < lowestSuffixIndex) { + lowestSuffixIndex = suffixIndex; + primaryAgentId = agentId; + } + } + + return primaryAgentId; +} + +type ContentPart = TMessage['content'] extends (infer U)[] | undefined ? U : never; + +/** + * Creates a mapMethod for getMessagesForConversation that processes agent content. + * - Strips agentId/groupId metadata from all content + * - For parallel agents (addedConvo with groupId): filters each group to its primary agent + * - For handoffs (agentId without groupId): keeps all content from all agents + * - For multi-agent: applies agent labels to content + * + * The key distinction: + * - Parallel execution (addedConvo): Parts have both agentId AND groupId + * - Handoffs: Parts only have agentId, no groupId + */ +export function createMultiAgentMapper(primaryAgent: Agent, agentConfigs?: Map) { + const hasMultipleAgents = (primaryAgent.edges?.length ?? 0) > 0 || (agentConfigs?.size ?? 0) > 0; + + let agentNames: Record | null = null; + if (hasMultipleAgents) { + agentNames = { [primaryAgent.id]: primaryAgent.name || 'Assistant' }; + if (agentConfigs) { + for (const [agentId, agentConfig] of agentConfigs.entries()) { + agentNames[agentId] = agentConfig.name || agentConfig.id; + } + } + } + + return (message: TMessage): TMessage => { + if (message.isCreatedByUser || !Array.isArray(message.content)) { + return message; + } + + const hasAgentMetadata = message.content.some( + (part) => + (part as ContentPart & { agentId?: string; groupId?: number })?.agentId || + (part as ContentPart & { groupId?: number })?.groupId != null, + ); + if (!hasAgentMetadata) { + return message; + } + + try { + const groupAgentMap = new Map>(); + + for (const part of message.content) { + const p = part as ContentPart & { agentId?: string; groupId?: number }; + const groupId = p?.groupId; + const agentId = p?.agentId; + if (groupId != null && agentId) { + if (!groupAgentMap.has(groupId)) { + groupAgentMap.set(groupId, new Set()); + } + groupAgentMap.get(groupId)!.add(agentId); + } + } + + const groupPrimaryMap = new Map(); + for (const [groupId, agentIds] of groupAgentMap) { + const primary = findPrimaryAgentId(agentIds); + if (primary) { + groupPrimaryMap.set(groupId, primary); + } + } + + const filteredContent: ContentPart[] = []; + const agentIdMap: Record = {}; + + for (const part of message.content) { + const p = part as ContentPart & { agentId?: string; groupId?: number }; + const agentId = p?.agentId; + const groupId = p?.groupId; + + const isParallelPart = groupId != null; + const groupPrimary = isParallelPart ? groupPrimaryMap.get(groupId) : null; + const shouldInclude = !isParallelPart || !agentId || agentId === groupPrimary; + + if (shouldInclude) { + const newIndex = filteredContent.length; + const { agentId: _a, groupId: _g, ...cleanPart } = p; + filteredContent.push(cleanPart as ContentPart); + if (agentId && hasMultipleAgents) { + agentIdMap[newIndex] = agentId; + } + } + } + + const finalContent = + Object.keys(agentIdMap).length > 0 && agentNames + ? labelContentByAgent(filteredContent as MessageContentComplex[], agentIdMap, agentNames) + : filteredContent; + + return { ...message, content: finalContent as TMessage['content'] }; + } catch (error) { + logger.error('[AgentClient] Error processing multi-agent message:', error); + return message; + } + }; +} diff --git a/packages/api/src/agents/index.ts b/packages/api/src/agents/index.ts index a5a0c340fe..9d13b3dd8e 100644 --- a/packages/api/src/agents/index.ts +++ b/packages/api/src/agents/index.ts @@ -1,5 +1,6 @@ export * from './avatars'; export * from './chain'; +export * from './client'; export * from './context'; export * from './edges'; export * from './handlers'; diff --git a/packages/api/src/types/http.ts b/packages/api/src/types/http.ts index 6544447310..c304e9089e 100644 --- a/packages/api/src/types/http.ts +++ b/packages/api/src/types/http.ts @@ -1,5 +1,6 @@ -import type { Request } from 'express'; import type { IUser, AppConfig } from '@librechat/data-schemas'; +import type { TEndpointOption } from 'librechat-data-provider'; +import type { Request } from 'express'; /** * LibreChat-specific request body type that extends Express Request body @@ -11,8 +12,10 @@ export type RequestBody = { conversationId?: string; parentMessageId?: string; endpoint?: string; + endpointType?: string; model?: string; key?: string; + endpointOption?: Partial; }; export type ServerRequest = Request & { From 65d13826781661515623414dacd75b5f3e7599f5 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Sat, 14 Feb 2026 09:19:26 -0500 Subject: [PATCH 29/55] =?UTF-8?q?=F0=9F=93=A6=20chore:=20`@librechat/agent?= =?UTF-8?q?s`=20to=20v3.1.42=20(#11790)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/package.json | 2 +- package-lock.json | 10 +++++----- packages/api/package.json | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/api/package.json b/api/package.json index 05755c6020..95782e52c2 100644 --- a/api/package.json +++ b/api/package.json @@ -44,7 +44,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.41", + "@librechat/agents": "^3.1.42", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", diff --git a/package-lock.json b/package-lock.json index 402f4872e6..a546ce1c10 100644 --- a/package-lock.json +++ b/package-lock.json @@ -59,7 +59,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.41", + "@librechat/agents": "^3.1.42", "@librechat/api": "*", "@librechat/data-schemas": "*", "@microsoft/microsoft-graph-client": "^3.0.7", @@ -11208,9 +11208,9 @@ } }, "node_modules/@librechat/agents": { - "version": "3.1.41", - "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.41.tgz", - "integrity": "sha512-djdJOGv8GxiI3vRyJZ5MoN8Gy3ZzfSTPOuWtqXLO0MzUkyQB32FqiM3YmtAjBbHLu0CSoOgkE8VVubQsOZauWQ==", + "version": "3.1.42", + "resolved": "https://registry.npmjs.org/@librechat/agents/-/agents-3.1.42.tgz", + "integrity": "sha512-zD+b+EpKdvYRO0STkOTiY4UwKK1522aD0BwmUPto7YWk4YmAXBB3uvyGN9ulP3Zr+1vqvypq2ZPfTLTrpqampw==", "license": "MIT", "dependencies": { "@anthropic-ai/sdk": "^0.73.0", @@ -42205,7 +42205,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.41", + "@librechat/agents": "^3.1.42", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", diff --git a/packages/api/package.json b/packages/api/package.json index cc0b67d0ee..7de59d3ac1 100644 --- a/packages/api/package.json +++ b/packages/api/package.json @@ -87,7 +87,7 @@ "@google/genai": "^1.19.0", "@keyv/redis": "^4.3.3", "@langchain/core": "^0.3.80", - "@librechat/agents": "^3.1.41", + "@librechat/agents": "^3.1.42", "@librechat/data-schemas": "*", "@modelcontextprotocol/sdk": "^1.26.0", "@smithy/node-http-handler": "^4.4.5", From bf1f2f431376e2a40bd0f634b094ae0942d1f7da Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Sat, 14 Feb 2026 09:41:10 -0500 Subject: [PATCH 30/55] =?UTF-8?q?=F0=9F=97=A8=EF=B8=8F=20refactor:=20Bette?= =?UTF-8?q?r=20Whitespace=20handling=20in=20Chat=20Message=20rendering=20(?= =?UTF-8?q?#11791)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Updated the rendering logic in the Part component to handle whitespace-only text more effectively. - Introduced a placeholder for whitespace-only last parts during streaming to enhance user experience. - Ensured non-last whitespace-only parts are skipped to avoid rendering empty containers, improving layout stability. --- .../components/Chat/Messages/Content/Part.tsx | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/client/src/components/Chat/Messages/Content/Part.tsx b/client/src/components/Chat/Messages/Content/Part.tsx index 4a74e3606f..f97d1343b9 100644 --- a/client/src/components/Chat/Messages/Content/Part.tsx +++ b/client/src/components/Chat/Messages/Content/Part.tsx @@ -67,9 +67,20 @@ const Part = memo( if (part.tool_call_ids != null && !text) { return null; } - /** Skip rendering if text is only whitespace to avoid empty Container */ - if (!isLast && text.length > 0 && /^\s*$/.test(text)) { - return null; + /** Handle whitespace-only text to avoid layout shift */ + if (text.length > 0 && /^\s*$/.test(text)) { + /** Show placeholder for whitespace-only last part during streaming */ + if (isLast && showCursor) { + return ( + + + + ); + } + /** Skip rendering non-last whitespace-only parts to avoid empty Container */ + if (!isLast) { + return null; + } } return ( From 10685fca9f978584d5bbd9fab27e34e6dcfc60b2 Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Sat, 14 Feb 2026 13:18:50 -0500 Subject: [PATCH 31/55] =?UTF-8?q?=F0=9F=97=82=EF=B8=8F=20refactor:=20Artif?= =?UTF-8?q?acts=20via=20Model=20Specs=20&=20Scope=20Badge=20Persistence=20?= =?UTF-8?q?by=20Spec=20Context=20(#11796)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 refactor: Simplify MCP selection logic in useMCPSelect hook - Removed redundant useEffect for setting ephemeral agent when MCP values change. - Integrated ephemeral agent update directly into the MCP value change handler, improving code clarity and reducing unnecessary re-renders. - Updated dependencies in the effect hook to ensure proper state management. Why Effect 2 Was Added (PR #9528) PR #9528 was a refactor that migrated MCP state from useLocalStorage hooks to Jotai atomWithStorage. Before that PR, useLocalStorage handled bidirectional sync between localStorage and Recoil in one abstraction. After the migration, the two useEffect hooks were introduced to bridge Jotai ↔ Recoil: - Effect 1 (Recoil → Jotai): When ephemeralAgent.mcp changes externally, update the Jotai atom (which drives the UI dropdown) - Effect 2 (Jotai → Recoil): When mcpValues changes, push it back to ephemeralAgent.mcp (which is read at submission time) Effect 2 was needed because in that PR's design, setMCPValues only wrote to Jotai — it never touched Recoil. Effect 2 was the bridge to propagate user selections into the ephemeral agent. Why Removing It Is Correct All user-initiated MCP changes go through setMCPValues. The callers are in useMCPServerManager: toggleServerSelection, batchToggleServers, OAuth success callbacks, and access revocation. Our change puts the Recoil write directly in that callback, so all these paths are covered. All external changes go through Recoil, handled by Effect 1 (kept). Model spec application (applyModelSpecEphemeralAgent), agent template application after submission, and BadgeRowContext initialization all write directly to ephemeralAgentByConvoId. Effect 1 watches ephemeralAgent?.mcp and syncs those into the Jotai atom for the UI. There is no code path where mcpValues changes without going through setMCPValues or Effect 1. The only other source is atomWithStorage's getOnInit reading from localStorage on mount — that's just restoring persisted state and is harmless (overwritten by Effect 1 if the ephemeral agent has values). Additional Benefits - Eliminates the race condition. Effect 2 fired on mount with Jotai's stale default ([]), overwriting ephemeralAgent.mcp that had been set by a model spec. Our change prevents that because the imperative sync only fires on explicit user action. - Eliminates infinite loop risk. The old bidirectional two-effect approach relied on isEqual/JSON.stringify checks to break cycles. The new unidirectional-reactive (Effect 1) + imperative (setMCPValues) approach has no such risk. - Effect 1's enhancements are preserved. The mcp_clear sentinel handling and configuredServers filtering (both added after PR #9528) continue to work correctly. * ✨ feat: Add artifacts support to model specifications and ephemeral agents - Introduced `artifacts` property in the model specification and ephemeral agent types, allowing for string or boolean values. - Updated `applyModelSpecEphemeralAgent` to handle artifacts, defaulting to 'default' if true or an empty string if not specified. - Enhanced localStorage handling to store artifacts alongside other agent properties, improving state management for ephemeral agents. * 🔧 refactor: Update BadgeRowContext to improve localStorage handling - Modified the logic to only apply values from localStorage that were actually stored, preventing unnecessary overrides of the ephemeral agent. - Simplified the setting of ephemeral agent values by directly using initialValues, enhancing code clarity and maintainability. * 🔧 refactor: Enhance ephemeral agent handling in BadgeRowContext and model spec application - Updated BadgeRowContext to apply localStorage values only for tools not already set in ephemeralAgent, improving state management. - Modified useApplyModelSpecEffects to reset the ephemeral agent when no spec is provided but specs are configured, ensuring localStorage defaults are applied correctly. - Streamlined the logic for applying model spec properties, enhancing clarity and maintainability. * refactor: Isolate spec and non-spec tool/MCP state with environment-keyed storage Spec tool state (badges, MCP) and non-spec user preferences previously shared conversation-keyed localStorage, causing cross-pollination when switching between spec and non-spec models. This introduces environment-keyed storage so each context maintains independent persisted state. Key changes: - Spec active: no localStorage persistence — admin config always applied fresh - Non-spec (with specs configured): tool/MCP state persisted to __defaults__ key - No specs configured: zero behavior change (conversation-keyed storage) - Per-conversation isolation preserved for existing conversations - Dual-write on user interaction updates both conversation and environment keys - Remove mcp_clear sentinel in favor of null ephemeral agent reset * refactor: Enhance ephemeral agent initialization and MCP handling in BadgeRowContext and useMCPSelect - Updated BadgeRowContext to clarify the handling of localStorage values for ephemeral agents, ensuring proper initialization based on conversation state. - Improved useMCPSelect tests to accurately reflect behavior when setting empty MCP values, ensuring the visual selection clears as expected. - Introduced environment-keyed storage logic to maintain independent state for spec and non-spec contexts, enhancing user experience during context switching. * test: Add comprehensive tests for useToolToggle and applyModelSpecEphemeralAgent hooks - Introduced unit tests for the useToolToggle hook, covering dual-write behavior in non-spec mode and per-conversation isolation. - Added tests for applyModelSpecEphemeralAgent, ensuring correct application of model specifications and user overrides from localStorage. - Enhanced test coverage for ephemeral agent state management during conversation transitions, validating expected behaviors for both new and existing conversations. --- client/src/Providers/BadgeRowContext.tsx | 137 +++++--- client/src/components/Chat/Input/BadgeRow.tsx | 8 +- client/src/components/Chat/Input/ChatForm.tsx | 1 + .../src/components/Chat/Input/MCPSelect.tsx | 8 +- .../src/components/Chat/Input/MCPSubMenu.tsx | 6 +- client/src/components/MCP/MCPConfigDialog.tsx | 3 + .../MCP/ServerInitializationSection.tsx | 4 +- .../hooks/Agents/useApplyModelSpecAgents.ts | 13 + .../hooks/MCP/__tests__/useMCPSelect.test.tsx | 252 +++++++++++++- client/src/hooks/MCP/useMCPSelect.ts | 60 ++-- client/src/hooks/MCP/useMCPServerManager.ts | 6 +- .../Plugins/__tests__/useToolToggle.test.tsx | 328 ++++++++++++++++++ client/src/hooks/Plugins/useToolToggle.ts | 18 +- .../applyModelSpecEphemeralAgent.test.ts | 274 +++++++++++++++ client/src/utils/endpoints.ts | 46 ++- packages/data-provider/src/config.ts | 2 + packages/data-provider/src/models.ts | 2 + packages/data-provider/src/types.ts | 1 + 18 files changed, 1084 insertions(+), 85 deletions(-) create mode 100644 client/src/hooks/Plugins/__tests__/useToolToggle.test.tsx create mode 100644 client/src/utils/__tests__/applyModelSpecEphemeralAgent.test.ts diff --git a/client/src/Providers/BadgeRowContext.tsx b/client/src/Providers/BadgeRowContext.tsx index 40df795aba..dce1c38a78 100644 --- a/client/src/Providers/BadgeRowContext.tsx +++ b/client/src/Providers/BadgeRowContext.tsx @@ -1,4 +1,4 @@ -import React, { createContext, useContext, useEffect, useRef } from 'react'; +import React, { createContext, useContext, useEffect, useMemo, useRef } from 'react'; import { useSetRecoilState } from 'recoil'; import { Tools, Constants, LocalStorageKeys, AgentCapabilities } from 'librechat-data-provider'; import type { TAgentsEndpoint } from 'librechat-data-provider'; @@ -9,11 +9,13 @@ import { useCodeApiKeyForm, useToolToggle, } from '~/hooks'; -import { getTimestampedValue, setTimestamp } from '~/utils/timestamps'; +import { getTimestampedValue } from '~/utils/timestamps'; +import { useGetStartupConfig } from '~/data-provider'; import { ephemeralAgentByConvoId } from '~/store'; interface BadgeRowContextType { conversationId?: string | null; + storageContextKey?: string; agentsConfig?: TAgentsEndpoint | null; webSearch: ReturnType; artifacts: ReturnType; @@ -38,34 +40,70 @@ interface BadgeRowProviderProps { children: React.ReactNode; isSubmitting?: boolean; conversationId?: string | null; + specName?: string | null; } export default function BadgeRowProvider({ children, isSubmitting, conversationId, + specName, }: BadgeRowProviderProps) { - const lastKeyRef = useRef(''); + const lastContextKeyRef = useRef(''); const hasInitializedRef = useRef(false); const { agentsConfig } = useGetAgentsConfig(); + const { data: startupConfig } = useGetStartupConfig(); const key = conversationId ?? Constants.NEW_CONVO; + const hasModelSpecs = (startupConfig?.modelSpecs?.list?.length ?? 0) > 0; + + /** + * Compute the storage context key for non-spec persistence: + * - `__defaults__`: specs configured but none active → shared defaults key + * - undefined: spec active (no persistence) or no specs configured (original behavior) + * + * When a spec is active, tool/MCP state is NOT persisted — the admin's spec + * configuration is always applied fresh. Only non-spec user preferences persist. + */ + const storageContextKey = useMemo(() => { + if (!specName && hasModelSpecs) { + return Constants.spec_defaults_key as string; + } + return undefined; + }, [specName, hasModelSpecs]); + + /** + * Compute the storage suffix for reading localStorage defaults: + * - New conversations read from environment key (spec or non-spec defaults) + * - Existing conversations read from conversation key (per-conversation state) + */ + const isNewConvo = key === Constants.NEW_CONVO; + const storageSuffix = isNewConvo && storageContextKey ? storageContextKey : key; const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(key)); - /** Initialize ephemeralAgent from localStorage on mount and when conversation changes */ + /** Initialize ephemeralAgent from localStorage on mount and when conversation/spec changes. + * Skipped when a spec is active — applyModelSpecEphemeralAgent handles both new conversations + * (pure spec values) and existing conversations (spec values + localStorage overrides). */ useEffect(() => { if (isSubmitting) { return; } - // Check if this is a new conversation or the first load - if (!hasInitializedRef.current || lastKeyRef.current !== key) { + if (specName) { + // Spec active: applyModelSpecEphemeralAgent handles all state (spec base + localStorage + // overrides for existing conversations). Reset init flag so switching back to non-spec + // triggers a fresh re-init. + hasInitializedRef.current = false; + return; + } + // Check if this is a new conversation/spec or the first load + if (!hasInitializedRef.current || lastContextKeyRef.current !== storageSuffix) { hasInitializedRef.current = true; - lastKeyRef.current = key; + lastContextKeyRef.current = storageSuffix; - const codeToggleKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${key}`; - const webSearchToggleKey = `${LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_}${key}`; - const fileSearchToggleKey = `${LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_}${key}`; - const artifactsToggleKey = `${LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_}${key}`; + const codeToggleKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${storageSuffix}`; + const webSearchToggleKey = `${LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_}${storageSuffix}`; + const fileSearchToggleKey = `${LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_}${storageSuffix}`; + const artifactsToggleKey = `${LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_}${storageSuffix}`; const codeToggleValue = getTimestampedValue(codeToggleKey); const webSearchToggleValue = getTimestampedValue(webSearchToggleKey); @@ -106,39 +144,53 @@ export default function BadgeRowProvider({ } } - /** - * Always set values for all tools (use defaults if not in `localStorage`) - * If `ephemeralAgent` is `null`, create a new object with just our tool values - */ - const finalValues = { - [Tools.execute_code]: initialValues[Tools.execute_code] ?? false, - [Tools.web_search]: initialValues[Tools.web_search] ?? false, - [Tools.file_search]: initialValues[Tools.file_search] ?? false, - [AgentCapabilities.artifacts]: initialValues[AgentCapabilities.artifacts] ?? false, - }; + const hasOverrides = Object.keys(initialValues).length > 0; - setEphemeralAgent((prev) => ({ - ...(prev || {}), - ...finalValues, - })); - - Object.entries(finalValues).forEach(([toolKey, value]) => { - if (value !== false) { - let storageKey = artifactsToggleKey; - if (toolKey === Tools.execute_code) { - storageKey = codeToggleKey; - } else if (toolKey === Tools.web_search) { - storageKey = webSearchToggleKey; - } else if (toolKey === Tools.file_search) { - storageKey = fileSearchToggleKey; + /** Read persisted MCP values from localStorage */ + let mcpOverrides: string[] | null = null; + const mcpStorageKey = `${LocalStorageKeys.LAST_MCP_}${storageSuffix}`; + const mcpRaw = localStorage.getItem(mcpStorageKey); + if (mcpRaw !== null) { + try { + const parsed = JSON.parse(mcpRaw); + if (Array.isArray(parsed) && parsed.length > 0) { + mcpOverrides = parsed; } - // Store the value and set timestamp for existing values - localStorage.setItem(storageKey, JSON.stringify(value)); - setTimestamp(storageKey); + } catch (e) { + console.error('Failed to parse MCP values:', e); } + } + + setEphemeralAgent((prev) => { + if (prev == null) { + /** ephemeralAgent is null — use localStorage defaults */ + if (hasOverrides || mcpOverrides) { + const result = { ...initialValues }; + if (mcpOverrides) { + result.mcp = mcpOverrides; + } + return result; + } + return prev; + } + /** ephemeralAgent already has values (from prior state). + * Only fill in undefined keys from localStorage. */ + let changed = false; + const result = { ...prev }; + for (const [toolKey, value] of Object.entries(initialValues)) { + if (result[toolKey] === undefined) { + result[toolKey] = value; + changed = true; + } + } + if (mcpOverrides && result.mcp === undefined) { + result.mcp = mcpOverrides; + changed = true; + } + return changed ? result : prev; }); } - }, [key, isSubmitting, setEphemeralAgent]); + }, [storageSuffix, specName, isSubmitting, setEphemeralAgent]); /** CodeInterpreter hooks */ const codeApiKeyForm = useCodeApiKeyForm({}); @@ -146,6 +198,7 @@ export default function BadgeRowProvider({ const codeInterpreter = useToolToggle({ conversationId, + storageContextKey, setIsDialogOpen: setCodeDialogOpen, toolKey: Tools.execute_code, localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, @@ -161,6 +214,7 @@ export default function BadgeRowProvider({ const webSearch = useToolToggle({ conversationId, + storageContextKey, toolKey: Tools.web_search, localStorageKey: LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_, setIsDialogOpen: setWebSearchDialogOpen, @@ -173,6 +227,7 @@ export default function BadgeRowProvider({ /** FileSearch hook */ const fileSearch = useToolToggle({ conversationId, + storageContextKey, toolKey: Tools.file_search, localStorageKey: LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_, isAuthenticated: true, @@ -181,12 +236,13 @@ export default function BadgeRowProvider({ /** Artifacts hook - using a custom key since it's not a Tool but a capability */ const artifacts = useToolToggle({ conversationId, + storageContextKey, toolKey: AgentCapabilities.artifacts, localStorageKey: LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_, isAuthenticated: true, }); - const mcpServerManager = useMCPServerManager({ conversationId }); + const mcpServerManager = useMCPServerManager({ conversationId, storageContextKey }); const value: BadgeRowContextType = { webSearch, @@ -194,6 +250,7 @@ export default function BadgeRowProvider({ fileSearch, agentsConfig, conversationId, + storageContextKey, codeApiKeyForm, codeInterpreter, searchApiKeyForm, diff --git a/client/src/components/Chat/Input/BadgeRow.tsx b/client/src/components/Chat/Input/BadgeRow.tsx index 5036dcd5e4..6fea6b0d58 100644 --- a/client/src/components/Chat/Input/BadgeRow.tsx +++ b/client/src/components/Chat/Input/BadgeRow.tsx @@ -28,6 +28,7 @@ interface BadgeRowProps { onChange: (badges: Pick[]) => void; onToggle?: (badgeId: string, currentActive: boolean) => void; conversationId?: string | null; + specName?: string | null; isSubmitting?: boolean; isInChat: boolean; } @@ -142,6 +143,7 @@ const dragReducer = (state: DragState, action: DragAction): DragState => { function BadgeRow({ showEphemeralBadges, conversationId, + specName, isSubmitting, onChange, onToggle, @@ -320,7 +322,11 @@ function BadgeRow({ }, [dragState.draggedBadge, handleMouseMove, handleMouseUp]); return ( - +
{showEphemeralBadges === true && } {tempBadges.map((badge, index) => ( diff --git a/client/src/components/Chat/Input/ChatForm.tsx b/client/src/components/Chat/Input/ChatForm.tsx index f8f0fbb40b..45277e5b9c 100644 --- a/client/src/components/Chat/Input/ChatForm.tsx +++ b/client/src/components/Chat/Input/ChatForm.tsx @@ -325,6 +325,7 @@ const ChatForm = memo(({ index = 0 }: { index?: number }) => { } isSubmitting={isSubmitting} conversationId={conversationId} + specName={conversation?.spec} onChange={setBadges} isInChat={ Array.isArray(conversation?.messages) && conversation.messages.length >= 1 diff --git a/client/src/components/Chat/Input/MCPSelect.tsx b/client/src/components/Chat/Input/MCPSelect.tsx index 278e603db0..a5356f5094 100644 --- a/client/src/components/Chat/Input/MCPSelect.tsx +++ b/client/src/components/Chat/Input/MCPSelect.tsx @@ -11,7 +11,7 @@ import { useHasAccess } from '~/hooks'; import { cn } from '~/utils'; function MCPSelectContent() { - const { conversationId, mcpServerManager } = useBadgeRowContext(); + const { conversationId, storageContextKey, mcpServerManager } = useBadgeRowContext(); const { localize, isPinned, @@ -128,7 +128,11 @@ function MCPSelectContent() { {configDialogProps && ( - + )} ); diff --git a/client/src/components/Chat/Input/MCPSubMenu.tsx b/client/src/components/Chat/Input/MCPSubMenu.tsx index ca547ca1f7..b0b8fad1bb 100644 --- a/client/src/components/Chat/Input/MCPSubMenu.tsx +++ b/client/src/components/Chat/Input/MCPSubMenu.tsx @@ -15,7 +15,7 @@ interface MCPSubMenuProps { const MCPSubMenu = React.forwardRef( ({ placeholder, ...props }, ref) => { const localize = useLocalize(); - const { mcpServerManager } = useBadgeRowContext(); + const { storageContextKey, mcpServerManager } = useBadgeRowContext(); const { isPinned, mcpValues, @@ -106,7 +106,9 @@ const MCPSubMenu = React.forwardRef(
- {configDialogProps && } + {configDialogProps && ( + + )}
); }, diff --git a/client/src/components/MCP/MCPConfigDialog.tsx b/client/src/components/MCP/MCPConfigDialog.tsx index a3727971e9..f1079c2799 100644 --- a/client/src/components/MCP/MCPConfigDialog.tsx +++ b/client/src/components/MCP/MCPConfigDialog.tsx @@ -24,6 +24,7 @@ interface MCPConfigDialogProps { serverName: string; serverStatus?: MCPServerStatus; conversationId?: string | null; + storageContextKey?: string; } export default function MCPConfigDialog({ @@ -36,6 +37,7 @@ export default function MCPConfigDialog({ serverName, serverStatus, conversationId, + storageContextKey, }: MCPConfigDialogProps) { const localize = useLocalize(); @@ -167,6 +169,7 @@ export default function MCPConfigDialog({ 0} /> diff --git a/client/src/components/MCP/ServerInitializationSection.tsx b/client/src/components/MCP/ServerInitializationSection.tsx index b5f71335d7..c080866b3d 100644 --- a/client/src/components/MCP/ServerInitializationSection.tsx +++ b/client/src/components/MCP/ServerInitializationSection.tsx @@ -9,12 +9,14 @@ interface ServerInitializationSectionProps { requiresOAuth: boolean; hasCustomUserVars?: boolean; conversationId?: string | null; + storageContextKey?: string; } export default function ServerInitializationSection({ serverName, requiresOAuth, conversationId, + storageContextKey, sidePanel = false, hasCustomUserVars = false, }: ServerInitializationSectionProps) { @@ -28,7 +30,7 @@ export default function ServerInitializationSection({ initializeServer, availableMCPServers, revokeOAuthForServer, - } = useMCPServerManager({ conversationId }); + } = useMCPServerManager({ conversationId, storageContextKey }); const { connectionStatus } = useMCPConnectionStatus({ enabled: !!availableMCPServers && availableMCPServers.length > 0, diff --git a/client/src/hooks/Agents/useApplyModelSpecAgents.ts b/client/src/hooks/Agents/useApplyModelSpecAgents.ts index 94d62a058a..2c677f85ca 100644 --- a/client/src/hooks/Agents/useApplyModelSpecAgents.ts +++ b/client/src/hooks/Agents/useApplyModelSpecAgents.ts @@ -1,4 +1,5 @@ import { useCallback } from 'react'; +import { Constants } from 'librechat-data-provider'; import type { TStartupConfig, TSubmission } from 'librechat-data-provider'; import { useUpdateEphemeralAgent, useApplyNewAgentTemplate } from '~/store/agents'; import { getModelSpec, applyModelSpecEphemeralAgent } from '~/utils'; @@ -6,6 +7,10 @@ import { getModelSpec, applyModelSpecEphemeralAgent } from '~/utils'; /** * Hook that applies a model spec from a preset to an ephemeral agent. * This is used when initializing a new conversation with a preset that has a spec. + * + * When a spec is provided, its tool settings are applied to the ephemeral agent. + * When no spec is provided but specs are configured, the ephemeral agent is reset + * to null so BadgeRowContext can apply localStorage defaults (non-spec experience). */ export function useApplyModelSpecEffects() { const updateEphemeralAgent = useUpdateEphemeralAgent(); @@ -20,6 +25,11 @@ export function useApplyModelSpecEffects() { startupConfig?: TStartupConfig; }) => { if (specName == null || !specName) { + if (startupConfig?.modelSpecs?.list?.length) { + /** Specs are configured but none selected — reset ephemeral agent to null + * so BadgeRowContext fills all values (tool toggles + MCP) from localStorage. */ + updateEphemeralAgent((convoId ?? Constants.NEW_CONVO) || Constants.NEW_CONVO, null); + } return; } @@ -80,6 +90,9 @@ export function useApplyAgentTemplate() { web_search: ephemeralAgent?.web_search ?? modelSpec.webSearch ?? false, file_search: ephemeralAgent?.file_search ?? modelSpec.fileSearch ?? false, execute_code: ephemeralAgent?.execute_code ?? modelSpec.executeCode ?? false, + artifacts: + ephemeralAgent?.artifacts ?? + (modelSpec.artifacts === true ? 'default' : modelSpec.artifacts || ''), }; mergedAgent.mcp = [...new Set(mergedAgent.mcp)]; diff --git a/client/src/hooks/MCP/__tests__/useMCPSelect.test.tsx b/client/src/hooks/MCP/__tests__/useMCPSelect.test.tsx index 26595b611c..783f525b9c 100644 --- a/client/src/hooks/MCP/__tests__/useMCPSelect.test.tsx +++ b/client/src/hooks/MCP/__tests__/useMCPSelect.test.tsx @@ -415,7 +415,7 @@ describe('useMCPSelect', () => { }); }); - it('should handle empty ephemeralAgent.mcp array correctly', async () => { + it('should clear mcpValues when ephemeralAgent.mcp is set to empty array', async () => { // Create a shared wrapper const { Wrapper, servers } = createWrapper(['initial-value']); @@ -437,19 +437,21 @@ describe('useMCPSelect', () => { expect(result.current.mcpHook.mcpValues).toEqual(['initial-value']); }); - // Try to set empty array externally + // Set empty array externally (e.g., spec with no MCP servers) act(() => { result.current.setEphemeralAgent({ mcp: [], }); }); - // Values should remain unchanged since empty mcp array doesn't trigger update - // (due to the condition: ephemeralAgent?.mcp && ephemeralAgent.mcp.length > 0) - expect(result.current.mcpHook.mcpValues).toEqual(['initial-value']); + // Jotai atom should be cleared — an explicit empty mcp array means + // the spec (or reset) has no MCP servers, so the visual selection must clear + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual([]); + }); }); - it('should handle ephemeralAgent with clear mcp value', async () => { + it('should handle ephemeralAgent being reset to null', async () => { // Create a shared wrapper const { Wrapper, servers } = createWrapper(['server1', 'server2']); @@ -471,16 +473,15 @@ describe('useMCPSelect', () => { expect(result.current.mcpHook.mcpValues).toEqual(['server1', 'server2']); }); - // Set ephemeralAgent with clear value + // Reset ephemeralAgent to null (simulating non-spec reset) act(() => { - result.current.setEphemeralAgent({ - mcp: [Constants.mcp_clear as string], - }); + result.current.setEphemeralAgent(null); }); - // mcpValues should be cleared + // mcpValues should remain unchanged since null ephemeral agent + // doesn't trigger the sync effect (mcps.length === 0) await waitFor(() => { - expect(result.current.mcpHook.mcpValues).toEqual([]); + expect(result.current.mcpHook.mcpValues).toEqual(['server1', 'server2']); }); }); @@ -590,6 +591,233 @@ describe('useMCPSelect', () => { }); }); + describe('Environment-Keyed Storage (storageContextKey)', () => { + it('should use storageContextKey as atom key for new conversations', async () => { + const { Wrapper, servers } = createWrapper(['server1', 'server2']); + const storageContextKey = '__defaults__'; + + // Hook A: new conversation with storageContextKey + const { result: resultA } = renderHook( + () => useMCPSelect({ conversationId: null, storageContextKey, servers }), + { wrapper: Wrapper }, + ); + + act(() => { + resultA.current.setMCPValues(['server1']); + }); + + await waitFor(() => { + expect(resultA.current.mcpValues).toEqual(['server1']); + }); + + // Hook B: new conversation WITHOUT storageContextKey (different environment) + const { result: resultB } = renderHook( + () => useMCPSelect({ conversationId: null, servers }), + { wrapper: Wrapper }, + ); + + // Should NOT see server1 since it's a different atom (NEW_CONVO vs __defaults__) + expect(resultB.current.mcpValues).toEqual([]); + }); + + it('should use conversationId as atom key for existing conversations even with storageContextKey', async () => { + const conversationId = 'existing-convo-123'; + const { Wrapper, servers } = createWrapper(['server1', 'server2']); + const storageContextKey = '__defaults__'; + + const { result } = renderHook( + () => useMCPSelect({ conversationId, storageContextKey, servers }), + { wrapper: Wrapper }, + ); + + act(() => { + result.current.setMCPValues(['server1', 'server2']); + }); + + await waitFor(() => { + expect(result.current.mcpValues).toEqual(['server1', 'server2']); + }); + + // Verify timestamp was written to the conversation key, not the environment key + const convoKey = `${LocalStorageKeys.LAST_MCP_}${conversationId}`; + expect(setTimestamp).toHaveBeenCalledWith(convoKey); + }); + + it('should dual-write to environment key when storageContextKey is provided', async () => { + const { Wrapper, servers } = createWrapper(['server1', 'server2']); + const storageContextKey = '__defaults__'; + + const { result } = renderHook( + () => useMCPSelect({ conversationId: null, storageContextKey, servers }), + { wrapper: Wrapper }, + ); + + act(() => { + result.current.setMCPValues(['server1', 'server2']); + }); + + await waitFor(() => { + // Verify dual-write to environment key + const envKey = `${LocalStorageKeys.LAST_MCP_}${storageContextKey}`; + expect(localStorage.getItem(envKey)).toEqual(JSON.stringify(['server1', 'server2'])); + expect(setTimestamp).toHaveBeenCalledWith(envKey); + }); + }); + + it('should NOT dual-write when storageContextKey is undefined', async () => { + const conversationId = 'convo-no-specs'; + const { Wrapper, servers } = createWrapper(['server1']); + + const { result } = renderHook(() => useMCPSelect({ conversationId, servers }), { + wrapper: Wrapper, + }); + + act(() => { + result.current.setMCPValues(['server1']); + }); + + await waitFor(() => { + expect(result.current.mcpValues).toEqual(['server1']); + }); + + // Only the conversation-keyed timestamp should be set, no environment key + const envKey = `${LocalStorageKeys.LAST_MCP_}__defaults__`; + expect(localStorage.getItem(envKey)).toBeNull(); + }); + + it('should isolate per-conversation state from environment defaults', async () => { + const { Wrapper, servers } = createWrapper(['server1', 'server2', 'server3']); + const storageContextKey = '__defaults__'; + + // Set environment defaults via new conversation + const { result: newConvoResult } = renderHook( + () => useMCPSelect({ conversationId: null, storageContextKey, servers }), + { wrapper: Wrapper }, + ); + + act(() => { + newConvoResult.current.setMCPValues(['server1', 'server2']); + }); + + await waitFor(() => { + expect(newConvoResult.current.mcpValues).toEqual(['server1', 'server2']); + }); + + // Existing conversation should have its own isolated state + const { result: existingResult } = renderHook( + () => useMCPSelect({ conversationId: 'existing-convo', storageContextKey, servers }), + { wrapper: Wrapper }, + ); + + // Should start empty (its own atom), not inherit from defaults + expect(existingResult.current.mcpValues).toEqual([]); + + // Set different value for existing conversation + act(() => { + existingResult.current.setMCPValues(['server3']); + }); + + await waitFor(() => { + expect(existingResult.current.mcpValues).toEqual(['server3']); + }); + + // New conversation defaults should be unchanged + expect(newConvoResult.current.mcpValues).toEqual(['server1', 'server2']); + }); + }); + + describe('Spec/Non-Spec Context Switching', () => { + it('should clear MCP when ephemeral agent switches to empty mcp (spec with no MCP)', async () => { + const { Wrapper, servers } = createWrapper(['server1', 'server2']); + const storageContextKey = '__defaults__'; + + const TestComponent = ({ ctxKey }: { ctxKey?: string }) => { + const mcpHook = useMCPSelect({ conversationId: null, storageContextKey: ctxKey, servers }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(Constants.NEW_CONVO)); + return { mcpHook, setEphemeralAgent }; + }; + + // Start in non-spec context with some servers selected + const { result } = renderHook(() => TestComponent({ ctxKey: storageContextKey }), { + wrapper: Wrapper, + }); + + act(() => { + result.current.mcpHook.setMCPValues(['server1', 'server2']); + }); + + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual(['server1', 'server2']); + }); + + // Simulate switching to a spec with no MCP — ephemeral agent gets mcp: [] + act(() => { + result.current.setEphemeralAgent({ mcp: [] }); + }); + + // MCP values should clear since the spec explicitly has no MCP servers + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual([]); + }); + }); + + it('should handle ephemeral agent with spec MCP servers syncing to Jotai atom', async () => { + const { Wrapper, servers } = createWrapper(['spec-server1', 'spec-server2']); + + const TestComponent = () => { + const mcpHook = useMCPSelect({ conversationId: null, servers }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(Constants.NEW_CONVO)); + return { mcpHook, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + // Simulate spec application setting ephemeral agent MCP + act(() => { + result.current.setEphemeralAgent({ + mcp: ['spec-server1', 'spec-server2'], + execute_code: true, + }); + }); + + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual(['spec-server1', 'spec-server2']); + }); + }); + + it('should handle null ephemeral agent reset (non-spec with specs configured)', async () => { + const { Wrapper, servers } = createWrapper(['server1', 'server2']); + + const TestComponent = () => { + const mcpHook = useMCPSelect({ servers }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(Constants.NEW_CONVO)); + return { mcpHook, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + // Set values from a spec + act(() => { + result.current.setEphemeralAgent({ mcp: ['server1', 'server2'] }); + }); + + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual(['server1', 'server2']); + }); + + // Reset ephemeral agent to null (switching to non-spec) + act(() => { + result.current.setEphemeralAgent(null); + }); + + // mcpValues should remain unchanged — null ephemeral agent doesn't trigger sync + // (BadgeRowContext will fill from localStorage defaults separately) + await waitFor(() => { + expect(result.current.mcpHook.mcpValues).toEqual(['server1', 'server2']); + }); + }); + }); + describe('Memory Leak Prevention', () => { it('should not leak memory on repeated updates', async () => { const values = Array.from({ length: 100 }, (_, i) => `value-${i}`); diff --git a/client/src/hooks/MCP/useMCPSelect.ts b/client/src/hooks/MCP/useMCPSelect.ts index e0118b8be1..b15786f678 100644 --- a/client/src/hooks/MCP/useMCPSelect.ts +++ b/client/src/hooks/MCP/useMCPSelect.ts @@ -9,9 +9,11 @@ import { MCPServerDefinition } from './useMCPServerManager'; export function useMCPSelect({ conversationId, + storageContextKey, servers, }: { conversationId?: string | null; + storageContextKey?: string; servers: MCPServerDefinition[]; }) { const key = conversationId ?? Constants.NEW_CONVO; @@ -19,47 +21,61 @@ export function useMCPSelect({ return new Set(servers?.map((s) => s.serverName)); }, [servers]); + /** + * For new conversations, key the MCP atom by environment (spec or defaults) + * so switching between spec ↔ non-spec gives each its own atom. + * For existing conversations, key by conversation ID for per-conversation isolation. + */ + const isNewConvo = key === Constants.NEW_CONVO; + const mcpAtomKey = isNewConvo && storageContextKey ? storageContextKey : key; + const [isPinned, setIsPinned] = useAtom(mcpPinnedAtom); - const [mcpValues, setMCPValuesRaw] = useAtom(mcpValuesAtomFamily(key)); + const [mcpValues, setMCPValuesRaw] = useAtom(mcpValuesAtomFamily(mcpAtomKey)); const [ephemeralAgent, setEphemeralAgent] = useRecoilState(ephemeralAgentByConvoId(key)); - // Sync Jotai state with ephemeral agent state + // Sync ephemeral agent MCP → Jotai atom (strip unconfigured servers) useEffect(() => { - const mcps = ephemeralAgent?.mcp ?? []; - if (mcps.length === 1 && mcps[0] === Constants.mcp_clear) { - setMCPValuesRaw([]); - } else if (mcps.length > 0 && configuredServers.size > 0) { - // Strip out servers that are not available in the startup config + const mcps = ephemeralAgent?.mcp; + if (Array.isArray(mcps) && mcps.length > 0 && configuredServers.size > 0) { const activeMcps = mcps.filter((mcp) => configuredServers.has(mcp)); - setMCPValuesRaw(activeMcps); - } - }, [ephemeralAgent?.mcp, setMCPValuesRaw, configuredServers]); - - useEffect(() => { - setEphemeralAgent((prev) => { - if (!isEqual(prev?.mcp, mcpValues)) { - return { ...(prev ?? {}), mcp: mcpValues }; + if (!isEqual(activeMcps, mcpValues)) { + setMCPValuesRaw(activeMcps); } - return prev; - }); - }, [mcpValues, setEphemeralAgent]); + } else if (Array.isArray(mcps) && mcps.length === 0 && mcpValues.length > 0) { + // Ephemeral agent explicitly has empty MCP (e.g., spec with no MCP servers) — clear atom + setMCPValuesRaw([]); + } + }, [ephemeralAgent?.mcp, setMCPValuesRaw, configuredServers, mcpValues]); + // Write timestamp when MCP values change useEffect(() => { - const mcpStorageKey = `${LocalStorageKeys.LAST_MCP_}${key}`; + const mcpStorageKey = `${LocalStorageKeys.LAST_MCP_}${mcpAtomKey}`; if (mcpValues.length > 0) { setTimestamp(mcpStorageKey); } - }, [mcpValues, key]); + }, [mcpValues, mcpAtomKey]); - /** Stable memoized setter */ + /** Stable memoized setter with dual-write to environment key */ const setMCPValues = useCallback( (value: string[]) => { if (!Array.isArray(value)) { return; } setMCPValuesRaw(value); + setEphemeralAgent((prev) => { + if (!isEqual(prev?.mcp, value)) { + return { ...(prev ?? {}), mcp: value }; + } + return prev; + }); + // Dual-write to environment key for new conversation defaults + if (storageContextKey) { + const envKey = `${LocalStorageKeys.LAST_MCP_}${storageContextKey}`; + localStorage.setItem(envKey, JSON.stringify(value)); + setTimestamp(envKey); + } }, - [setMCPValuesRaw], + [setMCPValuesRaw, setEphemeralAgent, storageContextKey], ); return { diff --git a/client/src/hooks/MCP/useMCPServerManager.ts b/client/src/hooks/MCP/useMCPServerManager.ts index bb5214be7c..fcca040af2 100644 --- a/client/src/hooks/MCP/useMCPServerManager.ts +++ b/client/src/hooks/MCP/useMCPServerManager.ts @@ -28,7 +28,10 @@ export interface MCPServerDefinition { // The init states (isInitializing, isCancellable, etc.) are stored in the global Jotai atom type PollIntervals = Record; -export function useMCPServerManager({ conversationId }: { conversationId?: string | null } = {}) { +export function useMCPServerManager({ + conversationId, + storageContextKey, +}: { conversationId?: string | null; storageContextKey?: string } = {}) { const localize = useLocalize(); const queryClient = useQueryClient(); const { showToast } = useToastContext(); @@ -73,6 +76,7 @@ export function useMCPServerManager({ conversationId }: { conversationId?: strin const { mcpValues, setMCPValues, isPinned, setIsPinned } = useMCPSelect({ conversationId, + storageContextKey, servers: selectableServers, }); const mcpValuesRef = useRef(mcpValues); diff --git a/client/src/hooks/Plugins/__tests__/useToolToggle.test.tsx b/client/src/hooks/Plugins/__tests__/useToolToggle.test.tsx new file mode 100644 index 0000000000..f617db2249 --- /dev/null +++ b/client/src/hooks/Plugins/__tests__/useToolToggle.test.tsx @@ -0,0 +1,328 @@ +import React from 'react'; +import { renderHook, act, waitFor } from '@testing-library/react'; +import { LocalStorageKeys, Tools } from 'librechat-data-provider'; +import { RecoilRoot, useRecoilValue, useSetRecoilState } from 'recoil'; +import { ephemeralAgentByConvoId } from '~/store'; +import { useToolToggle } from '../useToolToggle'; + +/** + * Tests for useToolToggle — the hook responsible for toggling tool badges + * (code execution, web search, file search, artifacts) and persisting state. + * + * Desired behaviors: + * - User toggles persist to per-conversation localStorage + * - In non-spec mode with specs configured (storageContextKey = '__defaults__'), + * toggles ALSO persist to the defaults key so future new conversations inherit them + * - In spec mode (storageContextKey = undefined), toggles only persist per-conversation + * - The hook reflects the current ephemeral agent state + */ + +// Mock data-provider auth query +jest.mock('~/data-provider', () => ({ + useVerifyAgentToolAuth: jest.fn().mockReturnValue({ + data: { authenticated: true }, + }), +})); + +// Mock timestamps (track calls without actual localStorage timestamp logic) +jest.mock('~/utils/timestamps', () => ({ + setTimestamp: jest.fn(), +})); + +// Mock useLocalStorageAlt (isPinned state — not relevant to our behavior tests) +jest.mock('~/hooks/useLocalStorageAlt', () => jest.fn(() => [false, jest.fn()])); + +const Wrapper: React.FC<{ children: React.ReactNode }> = ({ children }) => ( + {children} +); + +describe('useToolToggle', () => { + beforeEach(() => { + jest.clearAllMocks(); + localStorage.clear(); + }); + + // ─── Dual-Write Behavior ─────────────────────────────────────────── + + describe('non-spec mode: dual-write to defaults key', () => { + const storageContextKey = '__defaults__'; + + it('should write to both conversation key and defaults key when user toggles a tool', () => { + const conversationId = 'convo-123'; + const { result } = renderHook( + () => + useToolToggle({ + conversationId, + storageContextKey, + toolKey: Tools.execute_code, + localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, + isAuthenticated: true, + }), + { wrapper: Wrapper }, + ); + + act(() => { + result.current.handleChange({ value: true }); + }); + + // Conversation key: per-conversation persistence + const convoKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${conversationId}`; + // Defaults key: persists for future new conversations + const defaultsKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${storageContextKey}`; + + // Sync effect writes to conversation key + expect(localStorage.getItem(convoKey)).toBe(JSON.stringify(true)); + // handleChange dual-writes to defaults key + expect(localStorage.getItem(defaultsKey)).toBe(JSON.stringify(true)); + }); + + it('should persist false values to defaults key when user disables a tool', () => { + const { result } = renderHook( + () => + useToolToggle({ + conversationId: 'convo-456', + storageContextKey, + toolKey: Tools.web_search, + localStorageKey: LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_, + isAuthenticated: true, + }), + { wrapper: Wrapper }, + ); + + // Enable then disable + act(() => { + result.current.handleChange({ value: true }); + }); + act(() => { + result.current.handleChange({ value: false }); + }); + + const defaultsKey = `${LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_}${storageContextKey}`; + expect(localStorage.getItem(defaultsKey)).toBe(JSON.stringify(false)); + }); + }); + + describe('spec mode: no dual-write', () => { + it('should only write to conversation key, not to any defaults key', () => { + const conversationId = 'spec-convo-789'; + const { result } = renderHook( + () => + useToolToggle({ + conversationId, + storageContextKey: undefined, // spec mode + toolKey: Tools.execute_code, + localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, + isAuthenticated: true, + }), + { wrapper: Wrapper }, + ); + + act(() => { + result.current.handleChange({ value: true }); + }); + + // Conversation key should have the value + const convoKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${conversationId}`; + expect(localStorage.getItem(convoKey)).toBe(JSON.stringify(true)); + + // Defaults key should NOT have a value + const defaultsKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}__defaults__`; + expect(localStorage.getItem(defaultsKey)).toBeNull(); + }); + }); + + // ─── Per-Conversation Isolation ──────────────────────────────────── + + describe('per-conversation isolation', () => { + it('should maintain separate toggle state per conversation', () => { + const TestComponent = ({ conversationId }: { conversationId: string }) => { + const toggle = useToolToggle({ + conversationId, + toolKey: Tools.execute_code, + localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, + isAuthenticated: true, + }); + const ephemeralAgent = useRecoilValue(ephemeralAgentByConvoId(conversationId)); + return { toggle, ephemeralAgent }; + }; + + // Conversation A: enable code + const { result: resultA } = renderHook(() => TestComponent({ conversationId: 'convo-A' }), { + wrapper: Wrapper, + }); + + act(() => { + resultA.current.toggle.handleChange({ value: true }); + }); + + // Conversation B: disable code + const { result: resultB } = renderHook(() => TestComponent({ conversationId: 'convo-B' }), { + wrapper: Wrapper, + }); + + act(() => { + resultB.current.toggle.handleChange({ value: false }); + }); + + // Each conversation has its own value in localStorage + expect(localStorage.getItem(`${LocalStorageKeys.LAST_CODE_TOGGLE_}convo-A`)).toBe('true'); + expect(localStorage.getItem(`${LocalStorageKeys.LAST_CODE_TOGGLE_}convo-B`)).toBe('false'); + }); + }); + + // ─── Ephemeral Agent Sync ────────────────────────────────────────── + + describe('ephemeral agent reflects toggle state', () => { + it('should update ephemeral agent when user toggles a tool', async () => { + const conversationId = 'convo-sync-test'; + const TestComponent = () => { + const toggle = useToolToggle({ + conversationId, + toolKey: Tools.execute_code, + localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, + isAuthenticated: true, + }); + const ephemeralAgent = useRecoilValue(ephemeralAgentByConvoId(conversationId)); + return { toggle, ephemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + act(() => { + result.current.toggle.handleChange({ value: true }); + }); + + await waitFor(() => { + expect(result.current.ephemeralAgent?.execute_code).toBe(true); + }); + + act(() => { + result.current.toggle.handleChange({ value: false }); + }); + + await waitFor(() => { + expect(result.current.ephemeralAgent?.execute_code).toBe(false); + }); + }); + + it('should reflect external ephemeral agent changes in toolValue', async () => { + const conversationId = 'convo-external'; + const TestComponent = () => { + const toggle = useToolToggle({ + conversationId, + toolKey: Tools.web_search, + localStorageKey: LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_, + isAuthenticated: true, + }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(conversationId)); + return { toggle, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + // External update (e.g., from applyModelSpecEphemeralAgent) + act(() => { + result.current.setEphemeralAgent({ web_search: true, execute_code: false }); + }); + + await waitFor(() => { + expect(result.current.toggle.toolValue).toBe(true); + expect(result.current.toggle.isToolEnabled).toBe(true); + }); + }); + + it('should sync externally-set ephemeral agent values to localStorage', async () => { + const conversationId = 'convo-sync-ls'; + const TestComponent = () => { + const toggle = useToolToggle({ + conversationId, + toolKey: Tools.file_search, + localStorageKey: LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_, + isAuthenticated: true, + }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(conversationId)); + return { toggle, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + // Simulate applyModelSpecEphemeralAgent setting a value + act(() => { + result.current.setEphemeralAgent({ file_search: true }); + }); + + // The sync effect should write to conversation-keyed localStorage + await waitFor(() => { + const storageKey = `${LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_}${conversationId}`; + expect(localStorage.getItem(storageKey)).toBe(JSON.stringify(true)); + }); + }); + }); + + // ─── isToolEnabled computation ───────────────────────────────────── + + describe('isToolEnabled computation', () => { + it('should return false when tool is not set', () => { + const { result } = renderHook( + () => + useToolToggle({ + conversationId: 'convo-1', + toolKey: Tools.execute_code, + localStorageKey: LocalStorageKeys.LAST_CODE_TOGGLE_, + isAuthenticated: true, + }), + { wrapper: Wrapper }, + ); + + expect(result.current.isToolEnabled).toBe(false); + }); + + it('should treat non-empty string as enabled (artifacts)', async () => { + const conversationId = 'convo-artifacts'; + const TestComponent = () => { + const toggle = useToolToggle({ + conversationId, + toolKey: 'artifacts', + localStorageKey: LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_, + isAuthenticated: true, + }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(conversationId)); + return { toggle, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + act(() => { + result.current.setEphemeralAgent({ artifacts: 'default' }); + }); + + await waitFor(() => { + expect(result.current.toggle.isToolEnabled).toBe(true); + }); + }); + + it('should treat empty string as disabled (artifacts off)', async () => { + const conversationId = 'convo-no-artifacts'; + const TestComponent = () => { + const toggle = useToolToggle({ + conversationId, + toolKey: 'artifacts', + localStorageKey: LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_, + isAuthenticated: true, + }); + const setEphemeralAgent = useSetRecoilState(ephemeralAgentByConvoId(conversationId)); + return { toggle, setEphemeralAgent }; + }; + + const { result } = renderHook(() => TestComponent(), { wrapper: Wrapper }); + + act(() => { + result.current.setEphemeralAgent({ artifacts: '' }); + }); + + await waitFor(() => { + expect(result.current.toggle.isToolEnabled).toBe(false); + }); + }); + }); +}); diff --git a/client/src/hooks/Plugins/useToolToggle.ts b/client/src/hooks/Plugins/useToolToggle.ts index 3b12e87d51..d8026cad1c 100644 --- a/client/src/hooks/Plugins/useToolToggle.ts +++ b/client/src/hooks/Plugins/useToolToggle.ts @@ -13,6 +13,7 @@ type ToolValue = boolean | string; interface UseToolToggleOptions { conversationId?: string | null; + storageContextKey?: string; toolKey: string; localStorageKey: LocalStorageKeys; isAuthenticated?: boolean; @@ -26,6 +27,7 @@ interface UseToolToggleOptions { export function useToolToggle({ conversationId, + storageContextKey, toolKey: _toolKey, localStorageKey, isAuthenticated: externalIsAuthenticated, @@ -93,8 +95,22 @@ export function useToolToggle({ ...(prev || {}), [toolKey]: value, })); + + // Dual-write to environment key for new conversation defaults + if (storageContextKey) { + const envKey = `${localStorageKey}${storageContextKey}`; + localStorage.setItem(envKey, JSON.stringify(value)); + setTimestamp(envKey); + } }, - [setIsDialogOpen, isAuthenticated, setEphemeralAgent, toolKey], + [ + setIsDialogOpen, + isAuthenticated, + setEphemeralAgent, + toolKey, + storageContextKey, + localStorageKey, + ], ); const debouncedChange = useMemo( diff --git a/client/src/utils/__tests__/applyModelSpecEphemeralAgent.test.ts b/client/src/utils/__tests__/applyModelSpecEphemeralAgent.test.ts new file mode 100644 index 0000000000..44bfbb82f7 --- /dev/null +++ b/client/src/utils/__tests__/applyModelSpecEphemeralAgent.test.ts @@ -0,0 +1,274 @@ +import { Constants, LocalStorageKeys } from 'librechat-data-provider'; +import type { TModelSpec, TEphemeralAgent } from 'librechat-data-provider'; +import { applyModelSpecEphemeralAgent } from '../endpoints'; +import { setTimestamp } from '../timestamps'; + +/** + * Tests for applyModelSpecEphemeralAgent — the function responsible for + * constructing the ephemeral agent state when navigating to a spec conversation. + * + * Desired behaviors: + * - New conversations always get the admin's exact spec configuration + * - Existing conversations merge per-conversation localStorage overrides on top of spec + * - Cleared localStorage for existing conversations falls back to fresh spec config + */ + +const createModelSpec = (overrides: Partial = {}): TModelSpec => + ({ + name: 'test-spec', + label: 'Test Spec', + preset: { endpoint: 'agents' }, + mcpServers: ['spec-server1'], + webSearch: true, + executeCode: true, + fileSearch: false, + artifacts: true, + ...overrides, + }) as TModelSpec; + +/** Write a value + fresh timestamp to localStorage (simulates a user toggle) */ +function writeToolToggle(storagePrefix: string, convoId: string, value: unknown): void { + const key = `${storagePrefix}${convoId}`; + localStorage.setItem(key, JSON.stringify(value)); + setTimestamp(key); +} + +describe('applyModelSpecEphemeralAgent', () => { + let updateEphemeralAgent: jest.Mock; + + beforeEach(() => { + localStorage.clear(); + updateEphemeralAgent = jest.fn(); + }); + + // ─── New Conversations ───────────────────────────────────────────── + + describe('new conversations always get fresh admin spec config', () => { + it('should apply exactly the admin-configured tools and MCP servers', () => { + const modelSpec = createModelSpec({ + mcpServers: ['clickhouse', 'github'], + executeCode: true, + webSearch: false, + fileSearch: true, + artifacts: true, + }); + + applyModelSpecEphemeralAgent({ + convoId: null, + modelSpec, + updateEphemeralAgent, + }); + + expect(updateEphemeralAgent).toHaveBeenCalledWith(Constants.NEW_CONVO, { + mcp: ['clickhouse', 'github'], + execute_code: true, + web_search: false, + file_search: true, + artifacts: 'default', + }); + }); + + it('should not read from localStorage even if stale values exist', () => { + // Simulate stale localStorage from a previous session + writeToolToggle(LocalStorageKeys.LAST_CODE_TOGGLE_, Constants.NEW_CONVO, false); + writeToolToggle(LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_, Constants.NEW_CONVO, true); + localStorage.setItem( + `${LocalStorageKeys.LAST_MCP_}${Constants.NEW_CONVO}`, + JSON.stringify(['stale-server']), + ); + + const modelSpec = createModelSpec({ executeCode: true, webSearch: false, mcpServers: [] }); + + applyModelSpecEphemeralAgent({ + convoId: null, + modelSpec, + updateEphemeralAgent, + }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + // Should be spec values, NOT localStorage values + expect(agent.execute_code).toBe(true); + expect(agent.web_search).toBe(false); + expect(agent.mcp).toEqual([]); + }); + + it('should handle spec with no MCP servers', () => { + const modelSpec = createModelSpec({ mcpServers: undefined }); + + applyModelSpecEphemeralAgent({ convoId: null, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.mcp).toEqual([]); + }); + + it('should map artifacts: true to "default" string', () => { + const modelSpec = createModelSpec({ artifacts: true }); + + applyModelSpecEphemeralAgent({ convoId: null, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.artifacts).toBe('default'); + }); + + it('should pass through artifacts string value directly', () => { + const modelSpec = createModelSpec({ artifacts: 'custom-renderer' as any }); + + applyModelSpecEphemeralAgent({ convoId: null, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.artifacts).toBe('custom-renderer'); + }); + }); + + // ─── Existing Conversations: Per-Conversation Persistence ────────── + + describe('existing conversations merge user overrides from localStorage', () => { + const convoId = 'convo-abc-123'; + + it('should preserve user tool modifications across navigation', () => { + // User previously toggled off code execution and enabled file search + writeToolToggle(LocalStorageKeys.LAST_CODE_TOGGLE_, convoId, false); + writeToolToggle(LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_, convoId, true); + + const modelSpec = createModelSpec({ + executeCode: true, + fileSearch: false, + webSearch: true, + }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.execute_code).toBe(false); // user override + expect(agent.file_search).toBe(true); // user override + expect(agent.web_search).toBe(true); // not overridden, spec value + }); + + it('should preserve user-added MCP servers across navigation', () => { + // Spec has clickhouse, user also added github during the conversation + localStorage.setItem( + `${LocalStorageKeys.LAST_MCP_}${convoId}`, + JSON.stringify(['clickhouse', 'github']), + ); + + const modelSpec = createModelSpec({ mcpServers: ['clickhouse'] }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.mcp).toEqual(['clickhouse', 'github']); + }); + + it('should preserve user-removed MCP servers (empty array) across navigation', () => { + // User removed all MCP servers during the conversation + localStorage.setItem(`${LocalStorageKeys.LAST_MCP_}${convoId}`, JSON.stringify([])); + + const modelSpec = createModelSpec({ mcpServers: ['clickhouse', 'github'] }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.mcp).toEqual([]); + }); + + it('should only override keys that exist in localStorage, leaving the rest as spec defaults', () => { + // User only changed artifacts, nothing else + writeToolToggle(LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_, convoId, ''); + + const modelSpec = createModelSpec({ + executeCode: true, + webSearch: true, + fileSearch: false, + artifacts: true, + mcpServers: ['server1'], + }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + expect(agent.execute_code).toBe(true); // spec default (not in localStorage) + expect(agent.web_search).toBe(true); // spec default + expect(agent.file_search).toBe(false); // spec default + expect(agent.artifacts).toBe(''); // user override + expect(agent.mcp).toEqual(['server1']); // spec default (not in localStorage) + }); + }); + + // ─── Existing Conversations: Cleared localStorage ────────────────── + + describe('existing conversations with cleared localStorage get fresh spec config', () => { + const convoId = 'convo-cleared-456'; + + it('should fall back to pure spec values when localStorage is empty', () => { + // localStorage.clear() was already called in beforeEach + + const modelSpec = createModelSpec({ + executeCode: true, + webSearch: false, + fileSearch: true, + artifacts: true, + mcpServers: ['server1', 'server2'], + }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + expect(updateEphemeralAgent).toHaveBeenCalledWith(convoId, { + mcp: ['server1', 'server2'], + execute_code: true, + web_search: false, + file_search: true, + artifacts: 'default', + }); + }); + + it('should fall back to spec values when timestamps have expired (>2 days)', () => { + // Write values with expired timestamps (3 days old) + const expiredTimestamp = (Date.now() - 3 * 24 * 60 * 60 * 1000).toString(); + const codeKey = `${LocalStorageKeys.LAST_CODE_TOGGLE_}${convoId}`; + localStorage.setItem(codeKey, JSON.stringify(false)); + localStorage.setItem(`${codeKey}_TIMESTAMP`, expiredTimestamp); + + const modelSpec = createModelSpec({ executeCode: true }); + + applyModelSpecEphemeralAgent({ convoId, modelSpec, updateEphemeralAgent }); + + const agent = updateEphemeralAgent.mock.calls[0][1] as TEphemeralAgent; + // Expired override should be ignored — spec value wins + expect(agent.execute_code).toBe(true); + }); + }); + + // ─── Guard Clauses ───────────────────────────────────────────────── + + describe('guard clauses', () => { + it('should not call updateEphemeralAgent when modelSpec is undefined', () => { + applyModelSpecEphemeralAgent({ + convoId: 'convo-1', + modelSpec: undefined, + updateEphemeralAgent, + }); + + expect(updateEphemeralAgent).not.toHaveBeenCalled(); + }); + + it('should not throw when updateEphemeralAgent is undefined', () => { + expect(() => + applyModelSpecEphemeralAgent({ + convoId: 'convo-1', + modelSpec: createModelSpec(), + updateEphemeralAgent: undefined, + }), + ).not.toThrow(); + }); + + it('should use NEW_CONVO key when convoId is empty string', () => { + applyModelSpecEphemeralAgent({ + convoId: '', + modelSpec: createModelSpec(), + updateEphemeralAgent, + }); + + expect(updateEphemeralAgent).toHaveBeenCalledWith(Constants.NEW_CONVO, expect.any(Object)); + }); + }); +}); diff --git a/client/src/utils/endpoints.ts b/client/src/utils/endpoints.ts index eb9e60386f..33aa7a8525 100644 --- a/client/src/utils/endpoints.ts +++ b/client/src/utils/endpoints.ts @@ -11,6 +11,7 @@ import { } from 'librechat-data-provider'; import type * as t from 'librechat-data-provider'; import type { LocalizeFunction, IconsRecord } from '~/common'; +import { getTimestampedValue } from './timestamps'; /** * Clears model for non-ephemeral agent conversations. @@ -219,12 +220,51 @@ export function applyModelSpecEphemeralAgent({ if (!modelSpec || !updateEphemeralAgent) { return; } - updateEphemeralAgent((convoId ?? Constants.NEW_CONVO) || Constants.NEW_CONVO, { - mcp: modelSpec.mcpServers ?? [Constants.mcp_clear as string], + const key = (convoId ?? Constants.NEW_CONVO) || Constants.NEW_CONVO; + const agent: t.TEphemeralAgent = { + mcp: modelSpec.mcpServers ?? [], web_search: modelSpec.webSearch ?? false, file_search: modelSpec.fileSearch ?? false, execute_code: modelSpec.executeCode ?? false, - }); + artifacts: modelSpec.artifacts === true ? 'default' : modelSpec.artifacts || '', + }; + + // For existing conversations, layer per-conversation localStorage overrides + // on top of spec defaults so user modifications persist across navigation. + // If localStorage is empty (e.g., cleared), spec values stand alone. + if (key !== Constants.NEW_CONVO) { + const toolStorageMap: Array<[keyof t.TEphemeralAgent, string]> = [ + ['execute_code', LocalStorageKeys.LAST_CODE_TOGGLE_], + ['web_search', LocalStorageKeys.LAST_WEB_SEARCH_TOGGLE_], + ['file_search', LocalStorageKeys.LAST_FILE_SEARCH_TOGGLE_], + ['artifacts', LocalStorageKeys.LAST_ARTIFACTS_TOGGLE_], + ]; + + for (const [toolKey, storagePrefix] of toolStorageMap) { + const raw = getTimestampedValue(`${storagePrefix}${key}`); + if (raw !== null) { + try { + agent[toolKey] = JSON.parse(raw) as never; + } catch { + // ignore parse errors + } + } + } + + const mcpRaw = localStorage.getItem(`${LocalStorageKeys.LAST_MCP_}${key}`); + if (mcpRaw !== null) { + try { + const parsed = JSON.parse(mcpRaw); + if (Array.isArray(parsed)) { + agent.mcp = parsed; + } + } catch { + // ignore parse errors + } + } + } + + updateEphemeralAgent(key, agent); } /** diff --git a/packages/data-provider/src/config.ts b/packages/data-provider/src/config.ts index f6567e8da9..02174b6496 100644 --- a/packages/data-provider/src/config.ts +++ b/packages/data-provider/src/config.ts @@ -1758,6 +1758,8 @@ export enum Constants { mcp_all = 'sys__all__sys', /** Unique value to indicate clearing MCP servers from UI state. For frontend use only. */ mcp_clear = 'sys__clear__sys', + /** Key suffix for non-spec user default tool storage */ + spec_defaults_key = '__defaults__', /** * Unique value to indicate the MCP tool was added to an agent. * This helps inform the UI if the mcp server was previously added. diff --git a/packages/data-provider/src/models.ts b/packages/data-provider/src/models.ts index 3c3c197660..c2dbe2cf77 100644 --- a/packages/data-provider/src/models.ts +++ b/packages/data-provider/src/models.ts @@ -35,6 +35,7 @@ export type TModelSpec = { webSearch?: boolean; fileSearch?: boolean; executeCode?: boolean; + artifacts?: string | boolean; mcpServers?: string[]; }; @@ -54,6 +55,7 @@ export const tModelSpecSchema = z.object({ webSearch: z.boolean().optional(), fileSearch: z.boolean().optional(), executeCode: z.boolean().optional(), + artifacts: z.union([z.string(), z.boolean()]).optional(), mcpServers: z.array(z.string()).optional(), }); diff --git a/packages/data-provider/src/types.ts b/packages/data-provider/src/types.ts index 1198f97b80..a7782a3bc6 100644 --- a/packages/data-provider/src/types.ts +++ b/packages/data-provider/src/types.ts @@ -99,6 +99,7 @@ export type TEphemeralAgent = { web_search?: boolean; file_search?: boolean; execute_code?: boolean; + artifacts?: string; }; export type TPayload = Partial & From b0a32b7d6d79d5cf0e50fafaffdd181647b60adf Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Sat, 14 Feb 2026 13:39:03 -0500 Subject: [PATCH 32/55] =?UTF-8?q?=F0=9F=91=BB=20fix:=20Prevent=20Async=20T?= =?UTF-8?q?itle=20Generation=20From=20Recreating=20Deleted=20Conversations?= =?UTF-8?q?=20(#11797)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🐛 fix: Prevent deleted conversations from being recreated by async title generation When a user deletes a chat while auto-generated title is still in progress, `saveConvo` with `upsert: true` recreates the deleted conversation as a ghost entry with only a title and no messages. This adds a `noUpsert` metadata option to `saveConvo` and uses it in both agent and assistant title generation paths, so the title save is skipped if the conversation no longer exists. * test: conversation creation logic with noUpsert option Added new tests to validate the behavior of the `saveConvo` function with the `noUpsert` option. This includes scenarios where a conversation should not be created if it doesn't exist, updating an existing conversation when `noUpsert` is true, and ensuring that upsert behavior remains the default when `noUpsert` is not provided. These changes improve the flexibility and reliability of conversation management. * test: Clean up Conversation.spec.js by removing commented-out code Removed unnecessary comments from the Conversation.spec.js test file to improve readability and maintainability. This includes comments related to database verification and temporary conversation handling, streamlining the test cases for better clarity. --- api/models/Conversation.js | 7 ++- api/models/Conversation.spec.js | 45 +++++++++++++++++-- api/server/services/Endpoints/agents/title.js | 2 +- .../services/Endpoints/assistants/title.js | 4 +- 4 files changed, 50 insertions(+), 8 deletions(-) diff --git a/api/models/Conversation.js b/api/models/Conversation.js index a8f5f9a36c..32eac1a764 100644 --- a/api/models/Conversation.js +++ b/api/models/Conversation.js @@ -124,10 +124,15 @@ module.exports = { updateOperation, { new: true, - upsert: true, + upsert: metadata?.noUpsert !== true, }, ); + if (!conversation) { + logger.debug('[saveConvo] Conversation not found, skipping update'); + return null; + } + return conversation.toObject(); } catch (error) { logger.error('[saveConvo] Error saving conversation', error); diff --git a/api/models/Conversation.spec.js b/api/models/Conversation.spec.js index b6237d5f15..bd415b4165 100644 --- a/api/models/Conversation.spec.js +++ b/api/models/Conversation.spec.js @@ -106,6 +106,47 @@ describe('Conversation Operations', () => { expect(result.conversationId).toBe(newConversationId); }); + it('should not create a conversation when noUpsert is true and conversation does not exist', async () => { + const nonExistentId = uuidv4(); + const result = await saveConvo( + mockReq, + { conversationId: nonExistentId, title: 'Ghost Title' }, + { noUpsert: true }, + ); + + expect(result).toBeNull(); + + const dbConvo = await Conversation.findOne({ conversationId: nonExistentId }); + expect(dbConvo).toBeNull(); + }); + + it('should update an existing conversation when noUpsert is true', async () => { + await saveConvo(mockReq, mockConversationData); + + const result = await saveConvo( + mockReq, + { conversationId: mockConversationData.conversationId, title: 'Updated Title' }, + { noUpsert: true }, + ); + + expect(result).not.toBeNull(); + expect(result.title).toBe('Updated Title'); + expect(result.conversationId).toBe(mockConversationData.conversationId); + }); + + it('should still upsert by default when noUpsert is not provided', async () => { + const newId = uuidv4(); + const result = await saveConvo(mockReq, { + conversationId: newId, + title: 'New Conversation', + endpoint: EModelEndpoint.openAI, + }); + + expect(result).not.toBeNull(); + expect(result.conversationId).toBe(newId); + expect(result.title).toBe('New Conversation'); + }); + it('should handle unsetFields metadata', async () => { const metadata = { unsetFields: { someField: 1 }, @@ -122,7 +163,6 @@ describe('Conversation Operations', () => { describe('isTemporary conversation handling', () => { it('should save a conversation with expiredAt when isTemporary is true', async () => { - // Mock app config with 24 hour retention mockReq.config.interfaceConfig.temporaryChatRetention = 24; mockReq.body = { isTemporary: true }; @@ -135,7 +175,6 @@ describe('Conversation Operations', () => { expect(result.expiredAt).toBeDefined(); expect(result.expiredAt).toBeInstanceOf(Date); - // Verify expiredAt is approximately 24 hours in the future const expectedExpirationTime = new Date(beforeSave.getTime() + 24 * 60 * 60 * 1000); const actualExpirationTime = new Date(result.expiredAt); @@ -157,7 +196,6 @@ describe('Conversation Operations', () => { }); it('should save a conversation without expiredAt when isTemporary is not provided', async () => { - // No isTemporary in body mockReq.body = {}; const result = await saveConvo(mockReq, mockConversationData); @@ -167,7 +205,6 @@ describe('Conversation Operations', () => { }); it('should use custom retention period from config', async () => { - // Mock app config with 48 hour retention mockReq.config.interfaceConfig.temporaryChatRetention = 48; mockReq.body = { isTemporary: true }; diff --git a/api/server/services/Endpoints/agents/title.js b/api/server/services/Endpoints/agents/title.js index 1d6d359bd6..e31cdeea11 100644 --- a/api/server/services/Endpoints/agents/title.js +++ b/api/server/services/Endpoints/agents/title.js @@ -71,7 +71,7 @@ const addTitle = async (req, { text, response, client }) => { conversationId: response.conversationId, title, }, - { context: 'api/server/services/Endpoints/agents/title.js' }, + { context: 'api/server/services/Endpoints/agents/title.js', noUpsert: true }, ); } catch (error) { logger.error('Error generating title:', error); diff --git a/api/server/services/Endpoints/assistants/title.js b/api/server/services/Endpoints/assistants/title.js index a34de4d1af..1fae68cf54 100644 --- a/api/server/services/Endpoints/assistants/title.js +++ b/api/server/services/Endpoints/assistants/title.js @@ -69,7 +69,7 @@ const addTitle = async (req, { text, responseText, conversationId }) => { conversationId, title, }, - { context: 'api/server/services/Endpoints/assistants/addTitle.js' }, + { context: 'api/server/services/Endpoints/assistants/addTitle.js', noUpsert: true }, ); } catch (error) { logger.error('[addTitle] Error generating title:', error); @@ -81,7 +81,7 @@ const addTitle = async (req, { text, responseText, conversationId }) => { conversationId, title: fallbackTitle, }, - { context: 'api/server/services/Endpoints/assistants/addTitle.js' }, + { context: 'api/server/services/Endpoints/assistants/addTitle.js', noUpsert: true }, ); } }; From a89945c24bf7b12283eea3350991efbde053f762 Mon Sep 17 00:00:00 2001 From: Dustin Healy <54083382+dustinhealy@users.noreply.github.com> Date: Sat, 14 Feb 2026 10:39:29 -0800 Subject: [PATCH 33/55] =?UTF-8?q?=F0=9F=8C=99=20fix:=20Accessible=20Contra?= =?UTF-8?q?st=20for=20Theme=20Switcher=20Icons=20(#11795)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: proper colors for contrast in theme switcher icons * fix: use themed font colors --- packages/client/src/components/ThemeSelector.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/client/src/components/ThemeSelector.tsx b/packages/client/src/components/ThemeSelector.tsx index b817c41d7e..5956e87b39 100644 --- a/packages/client/src/components/ThemeSelector.tsx +++ b/packages/client/src/components/ThemeSelector.tsx @@ -16,7 +16,7 @@ const Theme = ({ theme, onChange }: { theme: string; onChange: (value: string) = const themeIcons: Record = { system: